Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7.exe

Overview

General Information

Sample Name:7.exe
Analysis ID:597511
MD5:ed666bf7f4a0766fcec0e9c8074b089b
SHA1:1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256:d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
Tags:exe
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses FTP
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • 7.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\7.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
    • vbc.exe (PID: 7048 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • vbc.exe (PID: 7064 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 5692 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
  • WindowsUpdate.exe (PID: 2372 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b8d9:$key: HawkEyeKeylogger
  • 0x7db15:$salt: 099u787978786
  • 0x7bf12:$string1: HawkEye_Keylogger
  • 0x7cd65:$string1: HawkEye_Keylogger
  • 0x7da75:$string1: HawkEye_Keylogger
  • 0x7c2fb:$string2: holdermail.txt
  • 0x7c31b:$string2: holdermail.txt
  • 0x7c23d:$string3: wallet.dat
  • 0x7c255:$string3: wallet.dat
  • 0x7c26b:$string3: wallet.dat
  • 0x7d657:$string4: Keylog Records
  • 0x7d96f:$string4: Keylog Records
  • 0x7db6d:$string5: do not script -->
  • 0x7b8c1:$string6: \pidloc.txt
  • 0x7b927:$string7: BSPLIT
  • 0x7b937:$string7: BSPLIT
7.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
7.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    7.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      7.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8d9:$key: HawkEyeKeylogger
        • 0x7db15:$salt: 099u787978786
        • 0x7bf12:$string1: HawkEye_Keylogger
        • 0x7cd65:$string1: HawkEye_Keylogger
        • 0x7da75:$string1: HawkEye_Keylogger
        • 0x7c2fb:$string2: holdermail.txt
        • 0x7c31b:$string2: holdermail.txt
        • 0x7c23d:$string3: wallet.dat
        • 0x7c255:$string3: wallet.dat
        • 0x7c26b:$string3: wallet.dat
        • 0x7d657:$string4: Keylog Records
        • 0x7d96f:$string4: Keylog Records
        • 0x7db6d:$string5: do not script -->
        • 0x7b8c1:$string6: \pidloc.txt
        • 0x7b927:$string7: BSPLIT
        • 0x7b937:$string7: BSPLIT
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 1 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                00000006.00000000.294953383.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    00000006.00000000.294308364.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                      0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                      • 0x7b6d9:$key: HawkEyeKeylogger
                      • 0x7d915:$salt: 099u787978786
                      • 0x7bd12:$string1: HawkEye_Keylogger
                      • 0x7cb65:$string1: HawkEye_Keylogger
                      • 0x7d875:$string1: HawkEye_Keylogger
                      • 0x7c0fb:$string2: holdermail.txt
                      • 0x7c11b:$string2: holdermail.txt
                      • 0x7c03d:$string3: wallet.dat
                      • 0x7c055:$string3: wallet.dat
                      • 0x7c06b:$string3: wallet.dat
                      • 0x7d457:$string4: Keylog Records
                      • 0x7d76f:$string4: Keylog Records
                      • 0x7d96d:$string5: do not script -->
                      • 0x7b6c1:$string6: \pidloc.txt
                      • 0x7b727:$string7: BSPLIT
                      • 0x7b737:$string7: BSPLIT
                      Click to see the 50 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      13.2.WindowsUpdate.exe.c99c0d.2.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        13.2.WindowsUpdate.exe.cefa72.3.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                        • 0x1dc67:$key: HawkEyeKeylogger
                        • 0x1fea3:$salt: 099u787978786
                        • 0x1e2a0:$string1: HawkEye_Keylogger
                        • 0x1f0f3:$string1: HawkEye_Keylogger
                        • 0x1fe03:$string1: HawkEye_Keylogger
                        • 0x1e689:$string2: holdermail.txt
                        • 0x1e6a9:$string2: holdermail.txt
                        • 0x1e5cb:$string3: wallet.dat
                        • 0x1e5e3:$string3: wallet.dat
                        • 0x1e5f9:$string3: wallet.dat
                        • 0x1f9e5:$string4: Keylog Records
                        • 0x1fcfd:$string4: Keylog Records
                        • 0x1fefb:$string5: do not script -->
                        • 0x1dc4f:$string6: \pidloc.txt
                        • 0x1dcb5:$string7: BSPLIT
                        • 0x1dcc5:$string7: BSPLIT
                        13.2.WindowsUpdate.exe.cefa72.3.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          13.2.WindowsUpdate.exe.cefa72.3.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                            13.2.WindowsUpdate.exe.cefa72.3.raw.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                            • 0x1e2f8:$hawkstr1: HawkEye Keylogger
                            • 0x1f139:$hawkstr1: HawkEye Keylogger
                            • 0x1f468:$hawkstr1: HawkEye Keylogger
                            • 0x1f5c3:$hawkstr1: HawkEye Keylogger
                            • 0x1f726:$hawkstr1: HawkEye Keylogger
                            • 0x1f9bd:$hawkstr1: HawkEye Keylogger
                            • 0x1de86:$hawkstr2: Dear HawkEye Customers!
                            • 0x1f4bb:$hawkstr2: Dear HawkEye Customers!
                            • 0x1f612:$hawkstr2: Dear HawkEye Customers!
                            • 0x1f779:$hawkstr2: Dear HawkEye Customers!
                            • 0x1dfa7:$hawkstr3: HawkEye Logger Details:
                            Click to see the 164 entries

                            Sigma Signatures

                            There are no malicious signatures, click here to show all signatures.

                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7.exe, ProcessId: 6464, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7.exe, ProcessId: 6464, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\7.exe, ProcessId: 6464, TargetFilename: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                            Multi AV Scanner detection for submitted file
                            Source: 7.exeVirustotal: Detection: 83%Perma Link
                            Source: 7.exeMetadefender: Detection: 68%Perma Link
                            Source: 7.exeReversingLabs: Detection: 95%
                            Antivirus / Scanner detection for submitted sample
                            Source: 7.exeAvira: detected
                            Source: 7.exeAvira: detected
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 68%Perma Link
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 95%
                            Machine Learning detection for sample
                            Source: 7.exeJoe Sandbox ML: detected
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                            Source: 6.0.vbc.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 0.2.7.exe.140000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 0.2.7.exe.140000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 0.0.7.exe.140000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 0.0.7.exe.140000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 6.0.vbc.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 6.0.vbc.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 6.0.vbc.exe.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 6.0.vbc.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: unknownHTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49778 version: TLS 1.0
                            Source: 7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: C:\Users\user\Desktop\7.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                            Source: 7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: Binary string: indows\System.pdbpdbtem.pdbUs source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.Runtime.Remoting.pdbB source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
                            Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Runtime.Remoting.pdb0| source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
                            Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
                            Source: Binary string: System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Runtime.Remoting.pdb7 source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdbd source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: 7.exeBinary or memory string: [autorun]
                            Source: 7.exeBinary or memory string: autorun.inf
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                            Source: WindowsUpdate.exeBinary or memory string: [autorun]
                            Source: WindowsUpdate.exeBinary or memory string: autorun.inf
                            Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: autorun.inf
                            Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
                            Source: WindowsUpdate.exeBinary or memory string: [autorun]
                            Source: WindowsUpdate.exeBinary or memory string: autorun.inf
                            Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: autorun.inf
                            Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
                            Source: 7.exeBinary or memory string: autorun.inf
                            Source: 7.exeBinary or memory string: [autorun]
                            Source: WindowsUpdate.exe.0.drBinary or memory string: autorun.inf
                            Source: WindowsUpdate.exe.0.drBinary or memory string: [autorun]
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                            Networking

                            barindex
                            May check the online IP address of the machine
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: C:\Users\user\Desktop\7.exeDNS query: name: whatismyipaddress.com
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: unknownHTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49778 version: TLS 1.0
                            Source: unknownFTP traffic detected: 145.14.144.149:21 -> 192.168.2.4:49792 220 ProFTPD Server (000webhost.com) [::ffff:145.14.144.149]
                            Source: vbc.exe, 00000007.00000003.327330196.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329240962.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327136256.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327359764.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329711659.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: http://172.217.23.78/
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
                            Source: vbc.exe, 00000007.00000003.328908883.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329381056.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329120944.000000000220A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
                            Source: 7.exe, WindowsUpdate.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                            Source: 7.exe, 00000000.00000002.516042380.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                            Source: WindowsUpdate.exe, 0000000B.00000002.321167778.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000D.00000002.337092250.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo.com/fooT
                            Source: WindowsUpdate.exe, 0000000D.00000002.336781223.0000000001531000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://google.com/
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                            Source: 7.exe, WindowsUpdate.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0:
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0B
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0E
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0F
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0K
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0M
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0R
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.msocsp.com0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/gsr202
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://support.google.com/accounts/answer/151657
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com
                            Source: WindowsUpdate.exeString found in binary or memory: http://whatismyipaddress.com/
                            Source: 7.exe, WindowsUpdate.exe.0.drString found in binary or memory: http://whatismyipaddress.com/-
                            Source: 7.exe, 00000000.00000003.262076697.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.DI
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254843316.0000000004E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255331043.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                            Source: 7.exe, 00000000.00000003.255331043.0000000000CCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com$
                            Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comT
                            Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comate
                            Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comcoc
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                            Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comnte
                            Source: 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                            Source: 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comyo
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                            Source: 7.exe, 00000000.00000003.261536786.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                            Source: 7.exe, 00000000.00000003.263754771.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                            Source: 7.exe, 00000000.00000003.262969147.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263452860.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263206127.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263385408.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263278615.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263076891.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.262837867.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                            Source: 7.exe, 00000000.00000002.519636455.0000000004E90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comD
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                            Source: 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                            Source: 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254533517.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254694365.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                            Source: 7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog0
                            Source: 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnLogv
                            Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                            Source: 7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254533517.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254694365.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnate
                            Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
                            Source: 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnlYM
                            Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
                            Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u~
                            Source: 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnric
                            Source: 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnxYq
                            Source: 7.exe, 00000000.00000003.267611430.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://www.google.com/
                            Source: 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                            Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                            Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                            Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256584450.0000000004E92000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
                            Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                            Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                            Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
                            Source: 7.exe, 00000000.00000003.262076697.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.EN~
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://www.msn.com
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://www.msn.com/
                            Source: vbc.exe, 00000007.00000003.328344794.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.328908883.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325731476.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.328003119.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326356510.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325442635.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326584909.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325320855.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325930190.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329120944.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325169593.000000000220C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.328270222.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325629007.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326156239.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
                            Source: bhv4267.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
                            Source: WindowsUpdate.exe.0.drString found in binary or memory: http://www.nirsoft.net/
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258440482.0000000004EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252539610.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252440722.0000000004EBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                            Source: 7.exe, 00000000.00000003.252539610.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252440722.0000000004EBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kru
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.site.com/logs.php
                            Source: 7.exe, 00000000.00000003.254843316.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255053933.0000000004E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.U
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                            Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                            Source: 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnnte
                            Source: 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnte
                            Source: vbc.exe, 00000007.00000003.329240962.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329711659.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://172.217.23.78/
                            Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
                            Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                            Source: vbc.exe, 00000007.00000003.326235002.0000000002725000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326524685.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326081545.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                            Source: WindowsUpdate.exeString found in binary or memory: https://login.yahoo.com/config/login
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
                            Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
                            Source: vbc.exe, 00000007.00000003.326235002.0000000002725000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://pki.goog/repository/0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com/
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.comx&Qq
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.digicert.com/CPS0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google-analytics.com/analytics.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
                            Source: WindowsUpdate.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/favicon.ico
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/nav_logo299.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/phd/px.gif
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/search
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
                            Source: vbc.exe, 00000007.00000003.325731476.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326356510.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325442635.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326584909.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325930190.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325629007.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326156239.0000000002205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/searchp/LinkId=255141
                            Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
                            Source: bhv4267.tmp.7.drString found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
                            Source: vbc.exe, 00000007.00000003.327136256.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327359764.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://www.msn.com/
                            Source: vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com//searchp/LinkId=255141
                            Source: vbc.exe, 00000007.00000002.336834099.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330636856.0000000002728000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330341195.0000000002728000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336204608.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336282988.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
                            Source: vbc.exe, 00000007.00000003.330213728.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330764840.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330383964.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330454176.000000000220A000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drString found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol
                            Source: unknownDNS traffic detected: queries for: 49.124.12.0.in-addr.arpa
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 26 Mar 2022 06:59:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=Vd7oHkI86VCkRNhJ2ufFFOkskwgzG61jnL7.1ngI0ZI-1648277991-0-AXKGAVonDzYglQ/tiv8FR+qwypp7BnEq4lYKCAOahVihbQj4Dc3wxS0Ubdt8j3dqzSOLMUDxNAMCmdmFvxUXhL8=; path=/; expires=Sat, 26-Mar-22 07:29:51 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6f1e0185c8788ffa-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                            Source: vbc.exe, 00000007.00000002.336834099.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336204608.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336282988.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                            Source: vbc.exe, 00000007.00000002.336834099.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336204608.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336282988.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                            Source: 7.exe, WindowsUpdate.exe.0.drString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                            Source: 7.exe, WindowsUpdate.exe.0.drString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: bhv4267.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
                            Source: WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected HawkEye Keylogger
                            Source: Yara matchFile source: 7.exe, type: SAMPLE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                            Contains functionality to log keystrokes (.Net Source)
                            Source: 7.exe, Form1.cs.Net Code: HookKeyboard
                            Source: WindowsUpdate.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                            Source: 0.2.7.exe.140000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 0.0.7.exe.140000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,
                            Source: WindowsUpdate.exe, 0000000B.00000002.320055684.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 7.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 7.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0014D426
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0014D523
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0015D5AE
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_00157646
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_001829BE
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_00186AF4
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_001AABFC
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_001A3C4D
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_001A3CBE
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0014ED03
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0017C7BC
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404419
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404516
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00413538
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A1
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E639
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B1
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE7
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF6
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F85
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F99
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004AD426
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004AD523
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004BD5AE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004B7646
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004E29BE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004E6AF4
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_0050ABFC
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00503C4D
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00503CBE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004AED03
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00503D2F
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00503DC0
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004ACF92
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004BAFA6
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004DC7BC
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00C9D426
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CAD5AE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00C9D523
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CA7646
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CD29BE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CD6AF4
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CFABFC
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CF3CBE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CF3C4D
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CF3DC0
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00C9ED03
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CF3D2F
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00C9CF92
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CAAFA6
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CCC7BC
                            Source: 7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: 7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: 7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: WindowsUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: WindowsUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: WindowsUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: C:\Users\user\Desktop\7.exeSection loaded: security.dll
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dll
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: security.dll
                            Source: 7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: 7.exe, type: SAMPLEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 7.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 7.exe, type: SAMPLEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.7650000.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.7660000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0.2.7.exe.27bab9c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000000.00000002.521204607.0000000007650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 00000000.00000002.521214363.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                            Source: C:\Users\user\Desktop\7.exeCode function: String function: 0018BA9D appears 34 times
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 00CDBA9D appears 35 times
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: String function: 004EBA9D appears 35 times
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                            Source: 7.exeBinary or memory string: OriginalFilename vs 7.exe
                            Source: 7.exeBinary or memory string: OriginalFileName vs 7.exe
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 7.exe
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 7.exe
                            Source: 7.exe, 00000000.00000002.515690583.00000000001C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 7.exe
                            Source: 7.exe, 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 7.exe
                            Source: 7.exe, 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 7.exe
                            Source: 7.exe, 00000000.00000002.521204607.0000000007650000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
                            Source: 7.exeBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
                            Source: 7.exeBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 7.exe
                            Source: 7.exeBinary or memory string: OriginalFilenamemailpv.exe< vs 7.exe
                            Source: 7.exeBinary or memory string: OriginalFilenamePhulli.exe0 vs 7.exe
                            Source: 7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\7.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/7@4/4
                            Source: 7.exe, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 0.2.7.exe.140000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 0.0.7.exe.140000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: WindowsUpdate.exe.0.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,
                            Source: 7.exe, 00000000.00000003.267943145.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267693167.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.268064535.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267853044.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267439265.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267611430.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Digitized data copyright The Monotype Corporation 1991-1995. All rights reserved.slnt
                            Source: 7.exeVirustotal: Detection: 83%
                            Source: 7.exeMetadefender: Detection: 68%
                            Source: 7.exeReversingLabs: Detection: 95%
                            Source: C:\Users\user\Desktop\7.exeFile read: C:\Users\user\Desktop\7.exeJump to behavior
                            Source: C:\Users\user\Desktop\7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: unknownProcess created: C:\Users\user\Desktop\7.exe "C:\Users\user\Desktop\7.exe"
                            Source: C:\Users\user\Desktop\7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                            Source: C:\Users\user\Desktop\7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                            Source: C:\Users\user\Desktop\7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                            Source: C:\Users\user\Desktop\7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                            Source: C:\Users\user\Desktop\7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
                            Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                            Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, 7.exe, 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000007.00000000.294642291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                            Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                            Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                            Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                            Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                            Source: C:\Users\user\Desktop\7.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\Desktop\7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\Desktop\7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                            Source: 7.exe, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: WindowsUpdate.exe.0.dr, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 0.2.7.exe.140000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 0.0.7.exe.140000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                            Source: 7.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                            Source: 7.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: 7.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: 7.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: 7.exe, Form1.csCryptographic APIs: 'CreateDecryptor'
                            Source: WindowsUpdate.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: WindowsUpdate.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: WindowsUpdate.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                            Source: WindowsUpdate.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                            Source: C:\Users\user\Desktop\7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\Desktop\7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\Desktop\7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\Desktop\7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\Desktop\7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                            Source: C:\Users\user\Desktop\7.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                            Source: 7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: 7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: Binary string: indows\System.pdbpdbtem.pdbUs source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.Runtime.Remoting.pdbB source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
                            Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Runtime.Remoting.pdb0| source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
                            Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
                            Source: Binary string: System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Runtime.Remoting.pdb7 source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdbd source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: 7.exe, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 7.exe, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 7.exe, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 7.exe, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: WindowsUpdate.exe.0.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: WindowsUpdate.exe.0.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: WindowsUpdate.exe.0.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: WindowsUpdate.exe.0.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.2.7.exe.140000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.2.7.exe.140000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.2.7.exe.140000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.2.7.exe.140000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.0.7.exe.140000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.0.7.exe.140000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.0.7.exe.140000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 0.0.7.exe.140000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_001B0712 push eax; ret
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_001B0712 push eax; ret
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0018BA9D push eax; ret
                            Source: C:\Users\user\Desktop\7.exeCode function: 0_2_0018BA9D push eax; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411879 push ecx; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004118A0 push eax; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004118A0 push eax; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442871 push ecx; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442A90 push eax; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442A90 push eax; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00446E54 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00510712 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_00510712 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004EBA9D push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_004EBA9D push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00D00712 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00D00712 push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CDBA9D push eax; ret
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_00CDBA9D push eax; ret
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
                            Source: C:\Users\user\Desktop\7.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                            Source: C:\Users\user\Desktop\7.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                            Source: C:\Users\user\Desktop\7.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Changes the view of files in windows explorer (hidden files and folders)
                            Source: C:\Users\user\Desktop\7.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                            Source: C:\Users\user\Desktop\7.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\Desktop\7.exe TID: 6496Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\7.exe TID: 6872Thread sleep time: -120000s >= -30000s
                            Source: C:\Users\user\Desktop\7.exe TID: 6876Thread sleep time: -140000s >= -30000s
                            Source: C:\Users\user\Desktop\7.exe TID: 6880Thread sleep time: -41600s >= -30000s
                            Source: C:\Users\user\Desktop\7.exe TID: 4612Thread sleep time: -180000s >= -30000s
                            Source: C:\Users\user\Desktop\7.exe TID: 6496Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4364Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5540Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6204Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5924Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\7.exeLast function: Thread delayed
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 180000
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 120000
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 140000
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 180000
                            Source: C:\Users\user\Desktop\7.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
                            Source: bhv4267.tmp.7.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094322Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=aa63b3d6130c474bb239fb07629d02b3&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
                            Source: WindowsUpdate.exe, 0000000D.00000002.336781223.0000000001531000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                            Source: bhv4267.tmp.7.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220326T065924Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=2063bd904d8c466b997524b68d6ff626&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
                            Source: WindowsUpdate.exe, 0000000B.00000002.320341711.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\7.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004161B0 memset,GetSystemInfo,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
                            Source: C:\Users\user\Desktop\7.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\7.exeMemory allocated: page read and write | page guard

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Allocates memory in foreign processes
                            Source: C:\Users\user\Desktop\7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                            Source: C:\Users\user\Desktop\7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                            Injects a PE file into a foreign processes
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                            Sample uses process hollowing technique
                            Source: C:\Users\user\Desktop\7.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                            Source: C:\Users\user\Desktop\7.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                            Writes to foreign memory regions
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                            Source: C:\Users\user\Desktop\7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                            .NET source code references suspicious native API functions
                            Source: 7.exe, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 7.exe, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: WindowsUpdate.exe.0.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: WindowsUpdate.exe.0.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 0.2.7.exe.140000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 0.2.7.exe.140000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 0.0.7.exe.140000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 0.0.7.exe.140000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                            Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                            Source: C:\Users\user\Desktop\7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                            Source: C:\Users\user\Desktop\7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406278 GetVersionExA,
                            Source: C:\Users\user\Desktop\7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\Desktop\7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: 7.exe, 00000000.00000002.516042380.00000000008D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                            Stealing of Sensitive Information

                            barindex
                            Yara detected MailPassView
                            Source: Yara matchFile source: 7.exe, type: SAMPLE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.cefa72.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.3777e00.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.3777e00.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.19fa72.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.cefa72.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4ffa72.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4ffa72.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.19fa72.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.294953383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000000.294308364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000000.293577766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.298222590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                            Yara detected HawkEye Keylogger
                            Source: Yara matchFile source: 7.exe, type: SAMPLE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                            Tries to steal Mail credentials (via file / registry access)
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                            Tries to steal Mail credentials (via file registry)
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Yara detected WebBrowserPassView password recovery tool
                            Source: Yara matchFile source: 7.exe, type: SAMPLE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c99c0d.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.149c0d.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.3790020.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a9c0d.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.3777e00.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c99c0d.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a9c0d.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.149c0d.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.3790020.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000000.294642291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000000.295228513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7064, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                            Tries to steal Instant Messenger accounts or passwords
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

                            Remote Access Functionality

                            barindex
                            Yara detected HawkEye Keylogger
                            Source: Yara matchFile source: 7.exe, type: SAMPLE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                            Detected HawkEye Rat
                            Source: 7.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                            Source: 7.exeString found in binary or memory: HawkEyeKeylogger
                            Source: 7.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                            Source: 7.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                            Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                            Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qBAHawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
                            Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q]\ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
                            Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_818225%203.26.2022%208:08:01%20AM.txt
                            Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qcbftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_818225%203.26.2022%208:08:01%20AM.txt
                            Source: 7.exe, 00000000.00000002.517749206.0000000002C6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qCB/HawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
                            Source: 7.exe, 00000000.00000002.517749206.0000000002C6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qBAHawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txtd8
                            Source: 7.exe, 00000000.00000002.517749206.0000000002C6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qIHSTOR HawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                            Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEyeKeylogger
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                            Source: WindowsUpdate.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                            Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: 7.exeString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: 7.exeString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: 7.exeString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: 7.exeString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: WindowsUpdate.exe.0.drString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                            Source: WindowsUpdate.exe.0.drString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                            Source: WindowsUpdate.exe.0.drString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                            Source: WindowsUpdate.exe.0.drString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_029C0A8E listen,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_029C0FC6 bind,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_029C0F93 bind,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 11_2_029C0A50 listen,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_05920A8E listen,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_05920FC6 bind,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_05920F93 bind,
                            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_05920A50 listen,

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            1
                            Replication Through Removable Media                            		1
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            System Time Discovery                            		1
                            Replication Through Removable Media                            		11
                            Archive Collected Data                            		1
                            Exfiltration Over Alternative Protocol                            		3
                            Ingress Tool Transfer                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default Accounts11
                            Native API                            		1
                            Registry Run Keys / Startup Folder                            		411
                            Process Injection                            		11
                            Deobfuscate/Decode Files or Information                            		11
                            Input Capture                            		1
                            Peripheral Device Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		Exfiltration Over Bluetooth11
                            Encrypted Channel                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts1
                            Shared Modules                            		Logon Script (Windows)1
                            Registry Run Keys / Startup Folder                            		31
                            Obfuscated Files or Information                            		2
                            Credentials in Registry                            		1
                            Account Discovery                            		SMB/Windows Admin Shares1
                            Email Collection                            		Automated Exfiltration1
                            Remote Access Software                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local Accounts2
                            Command and Scripting Interpreter                            		Logon Script (Mac)Logon Script (Mac)11
                            Software Packing                            		1
                            Credentials In Files                            		1
                            File and Directory Discovery                            		Distributed Component Object Model11
                            Input Capture                            		Scheduled Transfer3
                            Non-Application Layer Protocol                            		SIM Card SwapCarrier Billing Fraud
                            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets18
                            System Information Discovery                            		SSH1
                            Clipboard Data                            		Data Transfer Size Limits14
                            Application Layer Protocol                            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable MediaLaunchdRc.commonRc.common1
                            Masquerading                            		Cached Domain Credentials1
                            Query Registry                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                            Virtualization/Sandbox Evasion                            		DCSync131
                            Security Software Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job411
                            Process Injection                            		Proc Filesystem21
                            Virtualization/Sandbox Evasion                            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                            Hidden Files and Directories                            		/etc/passwd and /etc/shadow3
                            Process Discovery                            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                            System Owner/User Discovery                            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                            Remote System Discovery                            		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                            Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                            System Network Configuration Discovery                            		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 597511 Sample: 7.exe Startdate: 26/03/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 8 other signatures 2->40 6 7.exe 16 8 2->6         started        11 WindowsUpdate.exe 5 2->11         started        13 WindowsUpdate.exe 4 2->13         started        process3 dnsIp4 26 whatismyipaddress.com 104.16.154.36, 443, 49777, 49778 CLOUDFLARENETUS United States 6->26 28 us-east-1.route-1000.000webhost.awex.io 145.14.144.149, 21, 49792 AWEXUS Netherlands 6->28 32 3 other IPs or domains 6->32 20 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->20 dropped 22 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->22 dropped 42 May check the online IP address of the machine 6->42 44 Changes the view of files in windows explorer (hidden files and folders) 6->44 46 Writes to foreign memory regions 6->46 54 3 other signatures 6->54 15 vbc.exe 1 6->15         started        18 vbc.exe 2 6->18         started        30 127.0.0.1 unknown unknown 11->30 24 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 11->24 dropped 48 Antivirus detection for dropped file 11->48 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 file5 signatures6 process7 signatures8 56 Tries to steal Mail credentials (via file registry) 15->56 58 Tries to steal Instant Messenger accounts or passwords 15->58 60 Tries to steal Mail credentials (via file / registry access) 15->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            7.exe84%VirustotalBrowse
                            7.exe69%MetadefenderBrowse
                            7.exe95%ReversingLabsByteCode-MSIL.Trojan.Golroted
                            7.exe100%AviraTR/AD.MExecute.lzrac
                            7.exe100%AviraSPR/Tool.MailPassView.473
                            7.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/AD.MExecute.lzrac
                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraSPR/Tool.MailPassView.473
                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe69%MetadefenderBrowse
                            C:\Users\user\AppData\Roaming\WindowsUpdate.exe95%ReversingLabsByteCode-MSIL.Trojan.Golroted

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            7.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
                            6.0.vbc.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            0.2.7.exe.140000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            0.2.7.exe.140000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            7.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
                            7.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
                            0.0.7.exe.140000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            0.0.7.exe.140000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            13.2.WindowsUpdate.exe.c90000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            13.2.WindowsUpdate.exe.c90000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            6.0.vbc.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            7.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
                            11.2.WindowsUpdate.exe.4a0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            11.2.WindowsUpdate.exe.4a0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            6.0.vbc.exe.400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            6.0.vbc.exe.400000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            11.0.WindowsUpdate.exe.4a0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            11.0.WindowsUpdate.exe.4a0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            6.0.vbc.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            13.0.WindowsUpdate.exe.c90000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                            13.0.WindowsUpdate.exe.c90000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                            7.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
                            7.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
                            http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%URL Reputationsafe
                            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                            http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                            http://www.zhongyicts.com.cn0%URL Reputationsafe
                            http://www.carterandcone.como.0%URL Reputationsafe
                            https://whatismyipaddress.comx&Qq0%Avira URL Cloudsafe
                            https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
                            https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
                            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
                            http://www.sandoll.co.kru0%Avira URL Cloudsafe
                            http://www.jiyu-kobo.co.jp/R0%URL Reputationsafe
                            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%URL Reputationsafe
                            http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                            https://pki.goog/repository/00%URL Reputationsafe
                            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
                            http://www.carterandcone.comcoc0%Avira URL Cloudsafe
                            http://www.carterandcone.coml0%URL Reputationsafe
                            http://www.founder.com.cn/cnlYM0%Avira URL Cloudsafe
                            https://172.217.23.78/0%URL Reputationsafe
                            http://www.founder.com.cn/cnicr0%URL Reputationsafe
                            http://www.carterandcone.comnte0%Avira URL Cloudsafe
                            http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z0%Avira URL Cloudsafe
                            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                            http://www.founder.com.cn/cnate0%Avira URL Cloudsafe
                            http://www.jiyu-kobo.co.jp/a0%URL Reputationsafe
                            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
                            http://www.carterandcone.com$0%Avira URL Cloudsafe
                            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                            https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG0%URL Reputationsafe
                            http://www.founder.com.cn/cnn-u~0%Avira URL Cloudsafe
                            http://www.typography.netD0%URL Reputationsafe
                            http://www.carterandcone.comyo0%Avira URL Cloudsafe
                            http://www.zhongyicts.com.cnte0%Avira URL Cloudsafe
                            http://fontfabrik.com0%URL Reputationsafe
                            http://www.monotype.EN~0%Avira URL Cloudsafe
                            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%URL Reputationsafe
                            http://www.founder.com.cn/cnn-u0%URL Reputationsafe
                            http://www.sandoll.co.kr0%URL Reputationsafe
                            http://www.carterandcone.comT0%URL Reputationsafe
                            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                            https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            whatismyipaddress.com
                            		104.16.154.36
                            		truefalse
                              		high
                              us-east-1.route-1000.000webhost.awex.io
                              		145.14.144.149
                              		truefalse
                                		high
                                files.000webhost.com
                                		unknown
                                		unknownfalse
                                  		high
                                  49.124.12.0.in-addr.arpa
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://whatismyipaddress.com/false
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.google.com/chrome/static/css/main.v2.min.cssbhv4267.tmp.7.drfalse
                                        		high
                                        https://www.msn.com//searchp/LinkId=255141vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQvbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drfalse
                                            		high
                                            https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637bhv4267.tmp.7.drfalse
                                              		high
                                              http://www.msn.combhv4267.tmp.7.drfalse
                                                		high
                                                http://www.fontbureau.com/designers7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://deff.nelreports.net/api/report?cat=msnbhv4267.tmp.7.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv4267.tmp.7.drfalse
                                                    		high
                                                    https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv4267.tmp.7.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv4267.tmp.7.drfalse
                                                      		high
                                                      http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Zbhv4267.tmp.7.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhv4267.tmp.7.drfalse
                                                        		high
                                                        https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsbhv4267.tmp.7.drfalse
                                                          		high
                                                          http://whatismyipaddress.com/-7.exe, WindowsUpdate.exe.0.drfalse
                                                            		high
                                                            http://www.galapagosdesign.com/DPlease7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/)7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.site.com/logs.php7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.zhongyicts.com.cn7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.carterandcone.como.7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://whatismyipaddress.comx&Qq7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhv4267.tmp.7.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&psbhv4267.tmp.7.drfalse
                                                                		high
                                                                https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhv4267.tmp.7.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhv4267.tmp.7.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sandoll.co.kru7.exe, 00000000.00000003.252539610.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252440722.0000000004EBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pqbhv4267.tmp.7.drfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/R7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256584450.0000000004E92000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kbhv4267.tmp.7.drfalse
                                                                    		high
                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv4267.tmp.7.drfalse
                                                                      		high
                                                                      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266ebhv4267.tmp.7.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9bhv4267.tmp.7.drfalse
                                                                        		high
                                                                        https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv4267.tmp.7.drfalse
                                                                          		high
                                                                          https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv4267.tmp.7.drfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/D7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://pki.goog/repository/0bhv4267.tmp.7.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.msn.com/vbc.exe, 00000007.00000003.327136256.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327359764.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drfalse
                                                                              		high
                                                                              https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv4267.tmp.7.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.carterandcone.comcoc7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUebhv4267.tmp.7.drfalse
                                                                                		high
                                                                                https://www.google.com/favicon.icobhv4267.tmp.7.drfalse
                                                                                  		high
                                                                                  http://www.carterandcone.coml7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.msn.com/bhv4267.tmp.7.drfalse
                                                                                    		high
                                                                                    http://www.founder.com.cn/cnlYM7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv4267.tmp.7.drfalse
                                                                                      		high
                                                                                      https://172.217.23.78/vbc.exe, 00000007.00000003.329240962.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329711659.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://www.google.com/images/nav_logo299.pngbhv4267.tmp.7.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv4267.tmp.7.drfalse
                                                                                          		high
                                                                                          http://www.founder.com.cn/cnicr7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&bhv4267.tmp.7.drfalse
                                                                                            		high
                                                                                            https://www.google.com/accounts/serviceloginWindowsUpdate.exefalse
                                                                                              		high
                                                                                              http://www.carterandcone.comnte7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://consent.google.com/set?pc=s&uxe=4421591bhv4267.tmp.7.drfalse
                                                                                                		high
                                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Zbhv4267.tmp.7.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.google.com/images/hpp/Chrome_Owned_96x96.pngbhv4267.tmp.7.drfalse
                                                                                                  		high
                                                                                                  http://crl.pki.goog/gsr2/gsr2.crl0?bhv4267.tmp.7.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.founder.com.cn/cnate7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254533517.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254694365.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.jiyu-kobo.co.jp/a7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://pki.goog/gsr2/GTSGIAG3.crt0)bhv4267.tmp.7.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFbhv4267.tmp.7.drfalse
                                                                                                    		high
                                                                                                    https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2bhv4267.tmp.7.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv4267.tmp.7.drfalse
                                                                                                        		high
                                                                                                        https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframesbhv4267.tmp.7.drfalse
                                                                                                          		high
                                                                                                          https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_bhv4267.tmp.7.drfalse
                                                                                                            		high
                                                                                                            http://www.carterandcone.com$7.exe, 00000000.00000003.255331043.0000000000CCC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		low
                                                                                                            http://www.founder.com.cn/cn/bThe7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=httpsvbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.drfalse
                                                                                                              		high
                                                                                                              https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authusbhv4267.tmp.7.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/images/phd/px.gifbhv4267.tmp.7.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv4267.tmp.7.drfalse
                                                                                                                    		high
                                                                                                                    https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJGbhv4267.tmp.7.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv4267.tmp.7.drfalse
                                                                                                                      		high
                                                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv4267.tmp.7.drfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/chrome/static/js/main.v2.min.jsbhv4267.tmp.7.drfalse
                                                                                                                          		high
                                                                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv4267.tmp.7.drfalse
                                                                                                                            		high
                                                                                                                            https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhv4267.tmp.7.drfalse
                                                                                                                              		high
                                                                                                                              http://www.founder.com.cn/cnn-u~7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.typography.netD7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://www.carterandcone.comyo7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.zhongyicts.com.cnte7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://fontfabrik.com7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBmbhv4267.tmp.7.drfalse
                                                                                                                                		high
                                                                                                                                http://www.monotype.EN~7.exe, 00000000.00000003.262076697.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		low
                                                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv4267.tmp.7.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/intl/en_uk/chrome/bhv4267.tmp.7.drfalse
                                                                                                                                    		high
                                                                                                                                    https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv4267.tmp.7.drfalse
                                                                                                                                      		high
                                                                                                                                      https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQNbhv4267.tmp.7.drfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:bhv4267.tmp.7.drfalse
                                                                                                                                          		high
                                                                                                                                          http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhv4267.tmp.7.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.founder.com.cn/cnn-u7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.fonts.com7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.sandoll.co.kr7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252539610.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252440722.0000000004EBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.carterandcone.comT7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094bhv4267.tmp.7.drfalse
                                                                                                                                              		high
                                                                                                                                              https://www.google.com/chrome/static/js/installer.min.jsbhv4267.tmp.7.drfalse
                                                                                                                                                		high
                                                                                                                                                https://www.google.com/searchbhv4267.tmp.7.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv4267.tmp.7.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://whatismyipaddress.com7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.jiyu-kobo.co.jp/jp/7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJbhv4267.tmp.7.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      104.16.154.36
                                                                                                                                                      		whatismyipaddress.comUnited States
                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                      145.14.144.149
                                                                                                                                                      		us-east-1.route-1000.000webhost.awex.ioNetherlands
                                                                                                                                                      		204915AWEXUSfalse

                                                                                                                                                      Private

                                                                                                                                                      IP
                                                                                                                                                      192.168.2.1
                                                                                                                                                      127.0.0.1

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                      Analysis ID:597511
                                                                                                                                                      Start date and time:2022-03-26 06:58:25 +01:00
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 13m 47s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:7.exe
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:26
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@7/7@4/4
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 80%
                                                                                                                                                      HDC Information:
                                                                                                                                                      • Successful, ratio: 27.3% (good quality ratio 25.2%)
                                                                                                                                                      • Quality average: 73.4%
                                                                                                                                                      • Quality standard deviation: 29.9%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                      • Execution Graph export aborted for target 7.exe, PID 6464 because there are no executed function
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      07:59:51API Interceptor5x Sleep call for process: 7.exe modified
                                                                                                                                                      07:59:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                                                      08:00:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASNs

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):916
                                                                                                                                                      Entropy (8bit):5.282390836641403
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                                                                                                                                      MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                                                                                                                                      SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                                                                                                                                      SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                                                                                                                                      SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                                                                                                                                      Malicious:true
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\bhv4267.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8b6baa0f, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):29884416
                                                                                                                                                      Entropy (8bit):1.0170449202764986
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24576:crjyt8HVmyG4w781NfXy7R4aUpP9dCr6f63rsLOZ:Kwy9ry
                                                                                                                                                      MD5:934C3D1A99E6E4B191ED8CB784676BF1
                                                                                                                                                      SHA1:9E97CB6DA3429A6C12B629E8A3527210FF7A96BE
                                                                                                                                                      SHA-256:3611926483D1CA01A1DB2B8C7F61F432767BFA24BD6C16CCC58B24AF44269D64
                                                                                                                                                      SHA-512:5225052FC33EA70B40EAEF6180F6A6A788DBF2E5DA1BD22BC4743A2170933809B4A4FBBF6ADC6939BC0C5433C31A881AE4D3F3CC882EB928E6C94569754C9E44
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:.k..... ........?......_e..*....w........................=......+...z...;...z#.h.?.........................b...*....w..............................................................................................{............B.................................................................................................................. ........;...z.......................................................................................................................................................................................................................................U...;...zu..................{...;...z#.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2
                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:..

                                                                                                                                                      C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\7.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):913920
                                                                                                                                                      Entropy (8bit):7.376805169532317
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:ypEQtqB5urTIoYWBQk1E+VF9mOx9wi1T0hnbkOWAvyPx4+c/bUUCy:HQtqBorTlYWBhE+V3mO5vWgxE/nb
                                                                                                                                                      MD5:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                                                                      SHA1:1B90F1A4CB6059D573FFF115B3598604825D76E6
                                                                                                                                                      SHA-256:D1330D349BFBD3AEA545FA08EF63339E82A3F4D04E27216ECC4C45304F079264
                                                                                                                                                      SHA-512:D0791EAA9859D751F946FD3252D2056C29328FC97E147A5234A52A3728588A3A1AAA003A8E32863D338EBDCA92305C48B6FA12CA1E620CF27460BF091C3B6D49
                                                                                                                                                      Malicious:true
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      • Antivirus: Metadefender, Detection: 69%, Browse
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 95%
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.a.....................4........... ........@.. ....................................@.....................................S.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..h..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......

                                                                                                                                                      C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\7.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):26
                                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                      Malicious:true
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                      C:\Users\user\AppData\Roaming\pid.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\7.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4
                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:3:3
                                                                                                                                                      MD5:894A9B94BCC5969B60BD18E8EA9C0DDC
                                                                                                                                                      SHA1:F04A8305CF42ECB7BD5B110ADAB57CE9F68AF30C
                                                                                                                                                      SHA-256:7EE3819BF62F7E4563A2A9476DF6E18A6CD17CCEB30B92F00A24A6C8175E3740
                                                                                                                                                      SHA-512:56088DA0021FBDB8F45EC54B65B929FF335DC38DE3532911125F7783D5FC04142DF54CAA595CBF666E74EE9CF414F8AE8811E4CA3C1AFB14DDE49B15F57CC565
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:6464

                                                                                                                                                      C:\Users\user\AppData\Roaming\pidloc.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\7.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):28
                                                                                                                                                      Entropy (8bit):3.7498677622562893
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:oNt+WfWS0dAn:oNwvSJn
                                                                                                                                                      MD5:5441150DCB31D2321C8B08EB4F2229F9
                                                                                                                                                      SHA1:32624BFDA16A24F5156DF6CDC6599059BB28806A
                                                                                                                                                      SHA-256:CF3960D86A865004B36F3967A25596F06F3EDBBA9EF41800BD5239020BA894EF
                                                                                                                                                      SHA-512:8F07350A103D3091B3CF99F72CBBC7FE1E35607D555FC6A2664E28B6FC4BE30D531FC442833B688D0DE2805B1AA8CAB32DB0069D632FFBEC46998486EC9A7F39
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:unknown
                                                                                                                                                      Preview:C:\Users\user\Desktop\7.exe

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Entropy (8bit):7.376805169532317
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.65%
                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                      • InstallShield setup (43055/19) 0.21%
                                                                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                      File name:7.exe
                                                                                                                                                      File size:913920
                                                                                                                                                      MD5:ed666bf7f4a0766fcec0e9c8074b089b
                                                                                                                                                      SHA1:1b90f1a4cb6059d573fff115b3598604825d76e6
                                                                                                                                                      SHA256:d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
                                                                                                                                                      SHA512:d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49
                                                                                                                                                      SSDEEP:12288:ypEQtqB5urTIoYWBQk1E+VF9mOx9wi1T0hnbkOWAvyPx4+c/bUUCy:HQtqBorTlYWBhE+V3mO5vWgxE/nb
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.a.....................4........... ........@.. ....................................@................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:41455554545445a2

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x480bee
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                      Time Stamp:0x61A643FF [Tue Nov 30 15:32:15 2021 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:v2.0.50727
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x80b980x53.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x3200.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x20000x7ebf40x7ec00False0.572708641519data6.54105917207IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x820000x32000x3200False0.105390625data3.5876692887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x860000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                      RT_ICON0x824f00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 4286019447
                                                                                                                                                      RT_ICON0x827d80x128GLS_BINARY_LSB_FIRST
                                                                                                                                                      RT_ICON0x829000x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                                                                                      RT_ICON0x831a80x568GLS_BINARY_LSB_FIRST
                                                                                                                                                      RT_ICON0x837100x353PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                      RT_ICON0x83a680x10a8data
                                                                                                                                                      RT_ICON0x84b100x468GLS_BINARY_LSB_FIRST
                                                                                                                                                      RT_GROUP_ICON0x84f780x68data
                                                                                                                                                      RT_VERSION0x822500x2a0data
                                                                                                                                                      RT_MANIFEST0x84fe00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                      Version Infos

                                                                                                                                                      DescriptionData
                                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                                      LegalCopyrightCopyright 2014
                                                                                                                                                      Assembly Version1.0.0.0
                                                                                                                                                      InternalNamePhulli.exe
                                                                                                                                                      FileVersion1.0.0.0
                                                                                                                                                      ProductNamePhulli
                                                                                                                                                      ProductVersion1.0.0.0
                                                                                                                                                      FileDescriptionPhulli
                                                                                                                                                      OriginalFilenamePhulli.exe

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Mar 26, 2022 07:59:50.573096991 CET4977780192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.589638948 CET8049777104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.589754105 CET4977780192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.590919018 CET4977780192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.607353926 CET8049777104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.617904902 CET8049777104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.680655003 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.680695057 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.680774927 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.733393908 CET4977780192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.918349981 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.918375015 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.965903997 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.966053009 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.977786064 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:50.977813005 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.978216887 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.029911041 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.317478895 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.344531059 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.344666004 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.344749928 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.344755888 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.344796896 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.344851017 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.344872952 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345206976 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345288992 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.345308065 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345385075 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345438004 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.345452070 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345685005 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345746994 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345772028 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.345789909 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345833063 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.345851898 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.345997095 CET44349778104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:51.346059084 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 07:59:51.353233099 CET49778443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 08:00:23.179586887 CET4977780192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 08:00:23.196544886 CET8049777104.16.154.36192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:23.196640015 CET4977780192.168.2.4104.16.154.36
                                                                                                                                                      Mar 26, 2022 08:00:23.253387928 CET4979221192.168.2.4145.14.144.149
                                                                                                                                                      Mar 26, 2022 08:00:23.378848076 CET2149792145.14.144.149192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:23.378952026 CET4979221192.168.2.4145.14.144.149
                                                                                                                                                      Mar 26, 2022 08:00:23.518426895 CET2149792145.14.144.149192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:23.523405075 CET4979221192.168.2.4145.14.144.149
                                                                                                                                                      Mar 26, 2022 08:00:23.649051905 CET2149792145.14.144.149192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:24.476912975 CET2149792145.14.144.149192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:24.480254889 CET4979221192.168.2.4145.14.144.149
                                                                                                                                                      Mar 26, 2022 08:00:24.606931925 CET2149792145.14.144.149192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:24.607055902 CET4979221192.168.2.4145.14.144.149

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Mar 26, 2022 07:59:50.148940086 CET5406953192.168.2.48.8.8.8
                                                                                                                                                      Mar 26, 2022 07:59:50.168469906 CET53540698.8.8.8192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.442208052 CET5774753192.168.2.48.8.8.8
                                                                                                                                                      Mar 26, 2022 07:59:50.465178013 CET53577478.8.8.8192.168.2.4
                                                                                                                                                      Mar 26, 2022 07:59:50.660053015 CET5817153192.168.2.48.8.8.8
                                                                                                                                                      Mar 26, 2022 07:59:50.678874016 CET53581718.8.8.8192.168.2.4
                                                                                                                                                      Mar 26, 2022 08:00:23.184053898 CET5167953192.168.2.48.8.8.8
                                                                                                                                                      Mar 26, 2022 08:00:23.216795921 CET53516798.8.8.8192.168.2.4

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                      Mar 26, 2022 07:59:50.148940086 CET192.168.2.48.8.8.80x2e5fStandard query (0)49.124.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 07:59:50.442208052 CET192.168.2.48.8.8.80x7775Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 07:59:50.660053015 CET192.168.2.48.8.8.80x1bc3Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 08:00:23.184053898 CET192.168.2.48.8.8.80xd189Standard query (0)files.000webhost.comA (IP address)IN (0x0001)

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                      Mar 26, 2022 07:59:50.168469906 CET8.8.8.8192.168.2.40x2e5fName error (3)49.124.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 07:59:50.465178013 CET8.8.8.8192.168.2.40x7775No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 07:59:50.465178013 CET8.8.8.8192.168.2.40x7775No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 07:59:50.678874016 CET8.8.8.8192.168.2.40x1bc3No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 07:59:50.678874016 CET8.8.8.8192.168.2.40x1bc3No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 08:00:23.216795921 CET8.8.8.8192.168.2.40xd189No error (0)files.000webhost.comus-east-1.route-1000.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                                                                                                                      Mar 26, 2022 08:00:23.216795921 CET8.8.8.8192.168.2.40xd189No error (0)us-east-1.route-1000.000webhost.awex.io145.14.144.149A (IP address)IN (0x0001)

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • whatismyipaddress.com

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.449778104.16.154.36443C:\Users\user\Desktop\7.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      1192.168.2.449777104.16.154.3680C:\Users\user\Desktop\7.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      Mar 26, 2022 07:59:50.590919018 CET1051OUTGET / HTTP/1.1
                                                                                                                                                      Host: whatismyipaddress.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      Mar 26, 2022 07:59:50.617904902 CET1052INHTTP/1.1 301 Moved Permanently
                                                                                                                                                      Date: Sat, 26 Mar 2022 06:59:50 GMT
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: keep-alive
                                                                                                                                                      Cache-Control: max-age=3600
                                                                                                                                                      Expires: Sat, 26 Mar 2022 07:59:50 GMT
                                                                                                                                                      Location: https://whatismyipaddress.com/
                                                                                                                                                      Set-Cookie: __cf_bm=S_s1CS7DGOM6eBfXmUtivKhK4v54G0jBWizUnEhD0hc-1648277990-0-AcT/wi4ZYVZB1IWa1ExFH8BRgzGuiMz541nIRM/73gJ1Yt+VLI8/WZDyVzjjF+3OkKYGGrFmIvzzTmB27VGgnO4=; path=/; expires=Sat, 26-Mar-22 07:29:50 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 6f1e01813e6b9ba6-FRA
                                                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.449778104.16.154.36443C:\Users\user\Desktop\7.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      2022-03-26 06:59:51 UTC0OUTGET / HTTP/1.1
                                                                                                                                                      Host: whatismyipaddress.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      2022-03-26 06:59:51 UTC0INHTTP/1.1 403 Forbidden
                                                                                                                                                      Date: Sat, 26 Mar 2022 06:59:51 GMT
                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: close
                                                                                                                                                      CF-Chl-Bypass: 1
                                                                                                                                                      Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                                                      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                                                      Set-Cookie: __cf_bm=Vd7oHkI86VCkRNhJ2ufFFOkskwgzG61jnL7.1ngI0ZI-1648277991-0-AXKGAVonDzYglQ/tiv8FR+qwypp7BnEq4lYKCAOahVihbQj4Dc3wxS0Ubdt8j3dqzSOLMUDxNAMCmdmFvxUXhL8=; path=/; expires=Sat, 26-Mar-22 07:29:51 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 6f1e0185c8788ffa-FRA
                                                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                                      2022-03-26 06:59:51 UTC1INData Raw: 33 33 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                      Data Ascii: 339a<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                      2022-03-26 06:59:51 UTC1INData Raw: 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 50 6c 65 61 73 65 20 57 61 69 74 2e 2e 2e 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 69 64 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22
                                                                                                                                                      Data Ascii: o-js" lang="en-US"> ...<![endif]--><head><title>Please Wait... | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="
                                                                                                                                                      2022-03-26 06:59:51 UTC2INData Raw: 47 7a 4e 42 7a 30 22 2c 0a 20 20 20 20 20 20 20 20 63 46 50 57 76 3a 20 22 62 22 2c 0a 20 20 20 20 20 20 20 20 63 54 54 69 6d 65 4d 73 3a 20 22 31 30 30 30 22 2c 0a 20 20 20 20 20 20 20 20 63 4c 74 3a 20 22 6e 22 2c 0a 20 20 20 20 20 20 20 20 63 52 71 3a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 72 75 3a 20 22 61 48 52 30 63 48 4d 36 4c 79 39 33 61 47 46 30 61 58 4e 74 65 57 6c 77 59 57 52 6b 63 6d 56 7a 63 79 35 6a 62 32 30 76 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 61 3a 20 22 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 6d 3a 20 22 52 30 56 55 22 2c 0a 20 20 20 20 20 20 20 20 20 20 64 3a 20 22 5a 53 65 4f 37 53 74 2f 6e 36 56 6a 6c 33 2f 79 74 51 64 65 61 31 57 47 70 4e 79 66 2b 47 57 63 47 55 33 45 61 49 6a 41 74 6a 6f 46 6b 53 6e 48 42 49 47 45 72 34 6a
                                                                                                                                                      Data Ascii: GzNBz0", cFPWv: "b", cTTimeMs: "1000", cLt: "n", cRq: { ru: "aHR0cHM6Ly93aGF0aXNteWlwYWRkcmVzcy5jb20v", ra: "", rm: "R0VU", d: "ZSeO7St/n6Vjl3/ytQdea1WGpNyf+GWcGU3EaIjAtjoFkSnHBIGEr4j
                                                                                                                                                      2022-03-26 06:59:51 UTC4INData Raw: 3a 36 39 70 78 3b 20 6d 61 72 67 69 6e 3a 20 20 61 75 74 6f 3b 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 70 6c 65 61 73 65 2d 77 61 69 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0a 20 20 2e 61 74 74 72 69 62 75 74 69 6f 6e 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 32 70 78 3b 7d 0a 20 20 2e 62 75 62 62 6c 65 73 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 38 32 32 30 3b 20 77 69 64 74 68 3a 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 32 30 70 78 3b 20 6d 61 72 67 69 6e 3a 32 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 25 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 68 61 6c 6c 65 6e 67 65 2d 66
                                                                                                                                                      Data Ascii: :69px; margin: auto;} #cf-wrapper #cf-please-wait{text-align:center} .attribution {margin-top: 32px;} .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; } #cf-wrapper #challenge-f
                                                                                                                                                      2022-03-26 06:59:51 UTC5INData Raw: 20 20 20 20 20 20 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 20 63 66 2d 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 68 69 67 68 6c 69 67 68 74 2d 69 6e 76 65 72 73 65 20 63 66 2d 66 6f 72 6d 2d 73 74 61 63 6b 65 64
                                                                                                                                                      Data Ascii: <div class="cf-section cf-highlight cf-captcha-container"> <div class="cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <div class="cf-highlight-inverse cf-form-stacked
                                                                                                                                                      2022-03-26 06:59:51 UTC6INData Raw: 64 31 35 58 45 30 54 36 70 41 55 73 31 73 32 6d 6d 62 67 47 50 55 49 75 52 63 45 54 7a 51 35 74 5f 33 34 45 77 57 48 37 73 64 75 74 4f 67 35 78 31 61 78 7a 68 5a 38 71 58 46 74 6c 5f 39 42 4b 68 68 6d 33 4a 64 47 44 58 78 44 37 65 43 44 4b 54 6d 69 68 6d 41 31 63 57 7a 70 5a 73 6e 42 36 77 38 5f 5a 69 5a 6e 46 39 30 76 62 5a 35 4a 30 76 72 39 4a 33 42 64 78 70 5a 6d 74 36 55 6f 6e 66 4a 70 68 69 34 57 41 65 6a 35 4d 72 53 78 58 5a 76 4f 42 31 34 35 30 6e 72 5f 47 32 6f 72 53 73 71 34 4d 43 70 44 76 52 31 51 48 4f 46 49 43 49 5f 71 31 32 5a 73 42 59 58 43 6d 58 5a 78 76 48 41 55 56 67 2d 6d 4e 70 61 70 56 69 77 4d 6f 47 4d 74 55 59 41 37 55 42 70 76 76 6e 6c 55 48 77 4b 50 33 45 71 43 4a 34 58 42 31 4a 6c 52 69 38 5f 51 66 6a 66 36 50 47 4a 5f 4b 36 57 30
                                                                                                                                                      Data Ascii: d15XE0T6pAUs1s2mmbgGPUIuRcETzQ5t_34EwWH7sdutOg5x1axzhZ8qXFtl_9BKhhm3JdGDXxD7eCDKTmihmA1cWzpZsnB6w8_ZiZnF90vbZ5J0vr9J3BdxpZmt6UonfJphi4WAej5MrSxXZvOB1450nr_G2orSsq4MCpDvR1QHOFICI_q12ZsBYXCmXZxvHAUVg-mNpapViwMoGMtUYA7UBpvvnlUHwKP3EqCJ4XB1JlRi8_Qfjf6PGJ_K6W0
                                                                                                                                                      2022-03-26 06:59:51 UTC8INData Raw: 6b 4d 37 61 4b 75 58 30 31 7a 41 65 6a 4f 30 69 42 4f 50 41 49 57 58 64 63 72 63 71 63 73 4e 52 4e 50 62 68 76 38 57 58 34 32 65 6b 49 4c 41 75 43 34 56 2f 30 31 73 2b 61 2b 71 71 53 6f 49 59 42 42 67 43 75 6e 4f 37 79 72 52 4f 70 66 32 76 56 68 50 38 45 64 63 36 53 66 43 70 36 36 32 46 47 70 2f 78 72 58 41 51 30 31 70 55 52 6c 6d 48 38 6b 61 6c 2f 76 6c 69 51 50 69 79 42 55 50 73 4a 2b 44 65 53 6b 41 69 64 6b 71 6a 75 68 34 71 2f 35 6a 61 2b 6a 67 57 45 76 61 44 5a 49 34 65 75 44 6c 37 6e 59 38 6f 35 61 66 39 30 44 6e 48 66 4a 63 48 41 4c 67 61 33 38 77 36 37 32 75 45 32 54 57 54 49 36 52 52 42 51 44 35 2b 76 38 78 51 53 47 75 74 48 70 4e 36 36 5a 62 52 41 4b 4a 45 4f 70 70 4a 34 37 59 4f 34 6b 6b 4e 73 57 47 44 4b 6a 4b 59 61 73 47 7a 57 7a 34 77 38 63
                                                                                                                                                      Data Ascii: kM7aKuX01zAejO0iBOPAIWXdcrcqcsNRNPbhv8WX42ekILAuC4V/01s+a+qqSoIYBBgCunO7yrROpf2vVhP8Edc6SfCp662FGp/xrXAQ01pURlmH8kal/vliQPiyBUPsJ+DeSkAidkqjuh4q/5ja+jgWEvaDZI4euDl7nY8o5af90DnHfJcHALga38w672uE2TWTI6RRBQD5+v8xQSGutHpN66ZbRAKJEOppJ47YO4kkNsWGDKjKYasGzWz4w8c
                                                                                                                                                      2022-03-26 06:59:51 UTC9INData Raw: 6c 65 61 73 65 20 74 75 72 6e 20 4a 61 76 61 53 63 72 69 70 74 20 6f 6e 20 61 6e 64 20 72 65 6c 6f 61 64 20 74 68 65 20 70 61 67 65 2e 3c 2f 68 31 3e 0a 20 20 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6e 6f 2d 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 63 6c 61 73 73 3d 22 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0a 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 43
                                                                                                                                                      Data Ascii: lease turn JavaScript on and reload the page.</h1> </noscript> <div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none"> <p data-translate="turn_on_cookies" style="color:#bd2426;">Please enable C
                                                                                                                                                      2022-03-26 06:59:51 UTC10INData Raw: 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 72 6b 6a 73 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 63 70 6f 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 68 2f 62 2f 6f 72 63 68 65 73 74 72 61 74 65 2f 6d 61 6e 61 67 65 64 2f 76 31 3f 72 61 79 3d 36 66 31 65 30 31 38 35 63 38 37 38 38 66 66 61 22 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70
                                                                                                                                                      Data Ascii: document.body.appendChild(trkjs); var cpo=document.createElement('script'); cpo.type='text/javascript'; cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/managed/v1?ray=6f1e0185c8788ffa"; window._cf_chl_op
                                                                                                                                                      2022-03-26 06:59:51 UTC12INData Raw: 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 64 6f 20 49 20 68 61 76 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 61 20 43 41 50 54 43 48 41 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 64 65 74 61 69 6c
                                                                                                                                                      Data Ascii: ="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2> <p data-translate="why_captcha_detail
                                                                                                                                                      2022-03-26 06:59:51 UTC13INData Raw: 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 59 6f 75 72 20 49 50 3c 2f 73 70 61 6e 3e 3a 20 38 34 2e 31 37 2e 35 32 2e 37 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62
                                                                                                                                                      Data Ascii: an> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:block sm:mb-1"><span>Your IP</span>: 84.17.52.75</span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:b
                                                                                                                                                      2022-03-26 06:59:51 UTC14INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      FTP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                      Mar 26, 2022 08:00:23.518426895 CET2149792145.14.144.149192.168.2.4220 ProFTPD Server (000webhost.com) [::ffff:145.14.144.149]
                                                                                                                                                      Mar 26, 2022 08:00:23.523405075 CET4979221192.168.2.4145.14.144.149USER fcb-aws-host-4
                                                                                                                                                      Mar 26, 2022 08:00:24.476912975 CET2149792145.14.144.149192.168.2.4500 USER: Operation not permitted

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:07:59:33
                                                                                                                                                      Start date:26/03/2022
                                                                                                                                                      Path:C:\Users\user\Desktop\7.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\7.exe"
                                                                                                                                                      Imagebase:0x140000
                                                                                                                                                      File size:913920 bytes
                                                                                                                                                      MD5 hash:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000000.00000002.521204607.0000000007650000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000000.00000002.521214363.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:low

                                                                                                                                                      General

                                                                                                                                                      Target ID:6
                                                                                                                                                      Start time:07:59:54
                                                                                                                                                      Start date:26/03/2022
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.294953383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.294308364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.293577766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.298222590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high

                                                                                                                                                      General

                                                                                                                                                      Target ID:7
                                                                                                                                                      Start time:07:59:54
                                                                                                                                                      Start date:26/03/2022
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.294642291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000000.295228513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high

                                                                                                                                                      General

                                                                                                                                                      Target ID:11
                                                                                                                                                      Start time:08:00:03
                                                                                                                                                      Start date:26/03/2022
                                                                                                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                                                                                                                                                      Imagebase:0x4a0000
                                                                                                                                                      File size:913920 bytes
                                                                                                                                                      MD5 hash:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      • Detection: 69%, Metadefender, Browse
                                                                                                                                                      • Detection: 95%, ReversingLabs
                                                                                                                                                      Reputation:low

                                                                                                                                                      General

                                                                                                                                                      Target ID:13
                                                                                                                                                      Start time:08:00:14
                                                                                                                                                      Start date:26/03/2022
                                                                                                                                                      Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                                                                                                                                                      Imagebase:0xc90000
                                                                                                                                                      File size:913920 bytes
                                                                                                                                                      MD5 hash:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:low

                                                                                                                                                      Disassembly

                                                                                                                                                      No disassembly