Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report svchost[1].exe

Overview

General Information

Sample Name:svchost[1].exe
Analysis ID:383988
MD5:f31b0e7d038ed9d64be2c6ef94fa5171
SHA1:a4311ea256fb28fa7815249f43c903641c7114da
SHA256:30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • svchost[1].exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\svchost[1].exe' MD5: F31B0E7D038ED9D64BE2C6EF94FA5171)
    • svchost[1].exe (PID: 5872 cmdline: C:\Users\user\Desktop\svchost[1].exe MD5: F31B0E7D038ED9D64BE2C6EF94FA5171)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.svchost[1].exe.3c80048.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.svchost[1].exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.svchost[1].exe.3b49d80.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.svchost[1].exe.3b49d80.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.svchost[1].exe.3b49d80.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "helio@lpsinvest.comz6~Rhjss*B0}smtp.lpsinvest.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: svchost[1].exeVirustotal: Detection: 15%Perma Link
                    Source: svchost[1].exeReversingLabs: Detection: 16%
                    Machine Learning detection for sampleShow sources
                    Source: svchost[1].exeJoe Sandbox ML: detected
                    Source: 5.2.svchost[1].exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: svchost[1].exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: svchost[1].exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 5.10.29.169:587
                    Source: global trafficTCP traffic: 192.168.2.4:49764 -> 5.10.29.169:587
                    Source: Joe Sandbox ViewIP Address: 5.10.29.169 5.10.29.169
                    Source: Joe Sandbox ViewASN Name: EVEREST-ASGB EVEREST-ASGB
                    Source: global trafficTCP traffic: 192.168.2.4:49764 -> 5.10.29.169:587
                    Source: unknownDNS traffic detected: queries for: smtp.lpsinvest.com
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: svchost[1].exe, 00000005.00000002.908431013.00000000033D4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908461023.00000000033E4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908377566.000000000339D000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908473952.00000000033EA000.00000004.00000001.sdmpString found in binary or memory: http://97E09xoEksglOT.net
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://AFplKq.com
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: svchost[1].exe, 00000000.00000002.665163215.0000000002A31000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                    Source: svchost[1].exe, 00000005.00000002.908445459.00000000033DA000.00000004.00000001.sdmpString found in binary or memory: http://smtp.lpsinvest.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: svchost[1].exe, 00000000.00000003.649388172.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: svchost[1].exe, 00000000.00000003.647329385.0000000005AD8000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.647395558.0000000005AD6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
                    Source: svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
                    Source: svchost[1].exe, 00000000.00000003.646976353.0000000005ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd:
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: svchost[1].exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                    Source: svchost[1].exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                    Source: svchost[1].exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: svchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 5.2.svchost[1].exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2429E0ACu002dC67Eu002d4BB9u002d982Eu002d094851467126u007d/CC8F16B2u002d6C4Fu002d4B93u002d81B5u002d25F57D65A170.csLarge array initialization: .cctor: array initializer size 11954
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00672050
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_006746E0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010D94A8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DDCF4
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DC3A0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DE218
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DA748
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_010DDCE8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA0040
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA8960
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA54BE
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA54C0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1528
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1538
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA001B
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA3380
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA3372
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA0343
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1CE8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1CD8
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA0FD1
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA5839
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA5848
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA59F7
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1A20
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1A30
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA5A43
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04FE43DC
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AD2080
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AD46E0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_01311198
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_01312340
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_01316E58
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016A46A0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016A45B0
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016ADA00
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_055AB818
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_055A67B0
                    Source: svchost[1].exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: svchost[1].exeBinary or memory string: OriginalFilename vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000002.670654588.0000000007270000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000002.670490935.00000000070C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVelcoHvurJzSrWOaHpKEnnVWLqW.exe4 vs svchost[1].exe
                    Source: svchost[1].exe, 00000000.00000000.642028343.0000000000672000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
                    Source: svchost[1].exeBinary or memory string: OriginalFilename vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVelcoHvurJzSrWOaHpKEnnVWLqW.exe4 vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906391605.0000000000F58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906825657.00000000012A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.906252484.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
                    Source: svchost[1].exeBinary or memory string: OriginalFilenameCreateRangesd9.exeD vs svchost[1].exe
                    Source: svchost[1].exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: svchost[1].exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 5.2.svchost[1].exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.svchost[1].exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/2
                    Source: C:\Users\user\Desktop\svchost[1].exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost[1].exe.logJump to behavior
                    Source: svchost[1].exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\svchost[1].exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\svchost[1].exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\svchost[1].exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\svchost[1].exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: svchost[1].exeVirustotal: Detection: 15%
                    Source: svchost[1].exeReversingLabs: Detection: 16%
                    Source: unknownProcess created: C:\Users\user\Desktop\svchost[1].exe 'C:\Users\user\Desktop\svchost[1].exe'
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe
                    Source: C:\Users\user\Desktop\svchost[1].exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: svchost[1].exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: svchost[1].exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00688523 push dword ptr [esi+3Fh]; iretd
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00675683 push es; retf
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_0068928F push FFFFFFD9h; iretd
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_04AA1FD7 push D0456990h; retf
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AE8523 push dword ptr [esi+3Fh]; iretd
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AE928F push FFFFFFD9h; iretd
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_00AD5683 push es; retf
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_0131E0C2 push es; ret
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_016ACD51 push esp; iretd
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 5_2_055A5157 push eax; ret
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.56739593384
                    Source: C:\Users\user\Desktop\svchost[1].exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\svchost[1].exeCode function: 0_2_00674CAE sldt word ptr [eax]
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\svchost[1].exeWindow / User API: threadDelayed 962
                    Source: C:\Users\user\Desktop\svchost[1].exeWindow / User API: threadDelayed 8893
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6960Thread sleep time: -103561s >= -30000s
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 7000Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6512Thread sleep time: -22136092888451448s >= -30000s
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6516Thread sleep count: 962 > 30
                    Source: C:\Users\user\Desktop\svchost[1].exe TID: 6516Thread sleep count: 8893 > 30
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 103561
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\svchost[1].exeThread delayed: delay time: 922337203685477
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: svchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\svchost[1].exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\svchost[1].exeMemory written: C:\Users\user\Desktop\svchost[1].exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\svchost[1].exeProcess created: C:\Users\user\Desktop\svchost[1].exe C:\Users\user\Desktop\svchost[1].exe
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: svchost[1].exe, 00000005.00000002.907386996.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Users\user\Desktop\svchost[1].exe VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Users\user\Desktop\svchost[1].exe VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\svchost[1].exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 5872, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3c80048.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.svchost[1].exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\svchost[1].exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\svchost[1].exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 5872, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 5872, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost[1].exe PID: 6956, type: MEMORY
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3c80048.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.svchost[1].exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.svchost[1].exe.3b49d80.3.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    svchost[1].exe16%VirustotalBrowse
                    svchost[1].exe17%ReversingLabsWin32.Trojan.AgentTesla
                    svchost[1].exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.2.svchost[1].exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.founder.com.cn/cnZ0%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://97E09xoEksglOT.net0%Avira URL Cloudsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    https://api.ipify.org%$0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn00%Avira URL Cloudsafe
                    http://smtp.lpsinvest.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://AFplKq.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.lpsinvest.com
                    		5.10.29.169
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                            		high
                            https://dist.nuget.org/win-x86-commandline/latest/nuget.exesvchost[1].exefalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerssvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csssvchost[1].exe, 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cThesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleasesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%GETMozilla/5.0svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.ascendercorp.com/typedesigners.htmlsvchost[1].exe, 00000000.00000003.649388172.0000000005B0D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipsvchost[1].exefalse
                                      		high
                                      http://www.fonts.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnZsvchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.urwpp.deDPleasesvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost[1].exe, 00000000.00000002.665163215.0000000002A31000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000002.665335915.0000000002A8B000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sakkal.comsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsvchost[1].exe, 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://97E09xoEksglOT.netsvchost[1].exe, 00000005.00000002.908431013.00000000033D4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908461023.00000000033E4000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908377566.000000000339D000.00000004.00000001.sdmp, svchost[1].exe, 00000005.00000002.908473952.00000000033EA000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com=svchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.apache.org/licenses/LICENSE-2.0svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comsvchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://DynDns.comDynDNSsvchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comtsvchost[1].exe, 00000000.00000003.644385711.0000000005AD3000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hasvchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://github.com/d-haxton/HaxtonBot/archive/master.zipsvchost[1].exefalse
                                                		high
                                                http://www.fontbureau.comasvchost[1].exe, 00000000.00000002.669535009.0000000005AD0000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.ipify.org%$svchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.carterandcone.comlsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/svchost[1].exe, 00000000.00000003.647329385.0000000005AD8000.00000004.00000001.sdmp, svchost[1].exe, 00000000.00000003.647395558.0000000005AD6000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnsvchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cn0svchost[1].exe, 00000000.00000003.647133595.0000000005AD7000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlsvchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://smtp.lpsinvest.comsvchost[1].exe, 00000005.00000002.908445459.00000000033DA000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://AFplKq.comsvchost[1].exe, 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8svchost[1].exe, 00000000.00000002.670258477.0000000006CE2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cnd:svchost[1].exe, 00000000.00000003.646976353.0000000005ADE000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      5.10.29.169
                                                      		smtp.lpsinvest.comUnited Kingdom
                                                      		60610EVEREST-ASGBtrue

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:383988
                                                      Start date:08.04.2021
                                                      Start time:13:42:42
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 2s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:svchost[1].exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:20
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 0.1% (good quality ratio 0%)
                                                      • Quality average: 17.8%
                                                      • Quality standard deviation: 31.4%
                                                      HCA Information:
                                                      • Successful, ratio: 99%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.54.113.53, 52.147.198.201, 52.255.188.83, 20.50.102.62, 23.10.249.26, 23.10.249.43, 13.88.21.125, 52.155.217.156, 20.54.26.129, 20.82.210.154, 104.43.193.48
                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      13:43:36API Interceptor720x Sleep call for process: svchost[1].exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      5.10.29.169PAGO.xlsxGet hashmaliciousBrowse
                                                        78jqVxp7pl.exeGet hashmaliciousBrowse
                                                          AhJ6Pqv5Ik.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Trojan.PackedNET.598.11918.exeGet hashmaliciousBrowse
                                                              179422427-105719-sanlccjavap0003-1.pdf.exeGet hashmaliciousBrowse
                                                                6wYAsx4N91.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Trojan.Win32.Save.a.2641.exeGet hashmaliciousBrowse
                                                                    Transf. ppto 310404.xlsxGet hashmaliciousBrowse
                                                                      PAGO.xlsxGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        smtp.lpsinvest.comPAGO.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        78jqVxp7pl.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        EVEREST-ASGBPAGO.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        78jqVxp7pl.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        AhJ6Pqv5Ik.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        SecuriteInfo.com.Trojan.PackedNET.598.11918.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        179422427-105719-sanlccjavap0003-1.pdf.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        6wYAsx4N91.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.2641.exeGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        Transf. ppto 310404.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169
                                                                        PAGO.xlsxGet hashmaliciousBrowse
                                                                        • 5.10.29.169

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost[1].exe.log
                                                                        Process:C:\Users\user\Desktop\svchost[1].exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1314
                                                                        Entropy (8bit):5.350128552078965
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.231779565509928
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:svchost[1].exe
                                                                        File size:908800
                                                                        MD5:f31b0e7d038ed9d64be2c6ef94fa5171
                                                                        SHA1:a4311ea256fb28fa7815249f43c903641c7114da
                                                                        SHA256:30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e
                                                                        SHA512:45c21e3bf159c80ed6978a92134397074cafec0e5239660c5c691ef3769764209922fec772612c61e12d45a3c157e69264c3bcd89d3cd1ec142778e42b76de01
                                                                        SSDEEP:12288:SSLIIK2eESKnuHOvMUUzui2KrbCR4MzRBMuWRTIv/YLOn8gsIKUvE+:SSEIVfuuU/zbCxz4FYwankIc
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.n`..............P......F........... ........@.. .......................@............@................................

                                                                        File Icon

                                                                        Icon Hash:e8d4ae708e8ec461

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4ab49a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x606EB279 [Thu Apr 8 07:36:25 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xab4480x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x34234.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xa94a00xa9600False0.794058464022data7.56739593384IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xac0000x342340x34400False0.389905427632data5.76174565278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0xac2200x521ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_ICON0xb14500x6f5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_ICON0xb83bc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0xc8bf40x94a8data
                                                                        RT_ICON0xd20ac0x5488data
                                                                        RT_ICON0xd75440x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294902528
                                                                        RT_ICON0xdb77c0x25a8data
                                                                        RT_ICON0xddd340x10a8data
                                                                        RT_ICON0xdedec0x988data
                                                                        RT_ICON0xdf7840x468GLS_BINARY_LSB_FIRST
                                                                        RT_GROUP_ICON0xdfbfc0x92data
                                                                        RT_VERSION0xdfca00x392data
                                                                        RT_MANIFEST0xe00440x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2016 Computer City
                                                                        Assembly Version1.12.0.2
                                                                        InternalNameCreateRangesd9.exe
                                                                        FileVersion1.12.0.2
                                                                        CompanyNameComputer City
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameUnmanagedAccessor
                                                                        ProductVersion1.12.0.2
                                                                        FileDescriptionUnmanagedAccessor
                                                                        OriginalFilenameCreateRangesd9.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-13:45:21.100935TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49764587192.168.2.45.10.29.169

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:45:20.774466991 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.809410095 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.809658051 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.843045950 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.843540907 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.876821041 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.878261089 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.911379099 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.911873102 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.945014954 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.945971012 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:20.980176926 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:20.982388020 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.016210079 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.016686916 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.099493027 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.100934982 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.101042986 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.101499081 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.101574898 CEST49764587192.168.2.45.10.29.169
                                                                        Apr 8, 2021 13:45:21.134054899 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.134463072 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.134802103 CEST587497645.10.29.169192.168.2.4
                                                                        Apr 8, 2021 13:45:21.174755096 CEST49764587192.168.2.45.10.29.169

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 13:43:21.360517979 CEST4971453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:21.373454094 CEST53497148.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:22.819057941 CEST5802853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:22.838268995 CEST53580288.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:36.506131887 CEST5309753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:36.518707991 CEST53530978.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:44.738883972 CEST4925753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:44.751890898 CEST53492578.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:46.826216936 CEST6238953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:46.839076042 CEST53623898.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:47.449106932 CEST4991053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:47.462033987 CEST53499108.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:48.538242102 CEST5585453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:48.551193953 CEST53558548.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:49.187021017 CEST6454953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:49.200397968 CEST53645498.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:54.371588945 CEST6315353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:54.384330034 CEST53631538.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:43:58.241430044 CEST5299153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:43:58.260020971 CEST53529918.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:02.131122112 CEST5370053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:02.143009901 CEST53537008.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:02.813589096 CEST5172653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:02.826136112 CEST53517268.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:03.807391882 CEST5679453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:03.820637941 CEST53567948.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:05.897753000 CEST5653453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:05.910046101 CEST53565348.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:06.852571011 CEST5662753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:06.865803957 CEST53566278.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:10.494389057 CEST5662153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:10.507993937 CEST53566218.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:11.561630011 CEST6311653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:11.660725117 CEST53631168.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:12.150500059 CEST6407853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:12.178684950 CEST6480153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:12.191378117 CEST53648018.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:12.392133951 CEST53640788.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:12.849486113 CEST6172153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:12.992903948 CEST53617218.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:13.263180017 CEST5125553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:13.289325953 CEST53512558.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:13.376241922 CEST6152253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:13.389256001 CEST53615228.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:13.793956995 CEST5233753192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:13.807368994 CEST53523378.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:14.212326050 CEST5504653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:15.216603994 CEST5504653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:15.349567890 CEST53550468.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:15.696815968 CEST4961253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:15.709959984 CEST53496128.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:16.316134930 CEST4928553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:16.329654932 CEST53492858.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:17.454092026 CEST5060153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:17.467392921 CEST53506018.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:18.156184912 CEST6087553192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:18.169085026 CEST53608758.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:21.910017014 CEST5644853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:21.922573090 CEST53564488.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:22.993221045 CEST5917253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:23.005882025 CEST53591728.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:24.075020075 CEST6242053192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:24.087544918 CEST53624208.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:28.624958038 CEST6057953192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:28.660696983 CEST53605798.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:29.063834906 CEST5018353192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:29.079916000 CEST53501838.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:30.455490112 CEST6153153192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:30.467747927 CEST53615318.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:44:31.131867886 CEST4922853192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:44:31.145515919 CEST53492288.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:45:03.703135967 CEST5979453192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:45:03.735781908 CEST53597948.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:45:05.588020086 CEST5591653192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:45:05.601299047 CEST53559168.8.8.8192.168.2.4
                                                                        Apr 8, 2021 13:45:20.593401909 CEST5275253192.168.2.48.8.8.8
                                                                        Apr 8, 2021 13:45:20.638649940 CEST53527528.8.8.8192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 13:45:20.593401909 CEST192.168.2.48.8.8.80x2ebeStandard query (0)smtp.lpsinvest.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 13:45:20.638649940 CEST8.8.8.8192.168.2.40x2ebeNo error (0)smtp.lpsinvest.com5.10.29.169A (IP address)IN (0x0001)

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        Apr 8, 2021 13:45:20.843045950 CEST587497645.10.29.169192.168.2.4220 mail.elixir.eu.com
                                                                        Apr 8, 2021 13:45:20.843540907 CEST49764587192.168.2.45.10.29.169EHLO 284992
                                                                        Apr 8, 2021 13:45:20.876821041 CEST587497645.10.29.169192.168.2.4250-mail.elixir.eu.com Hello [185.32.222.8]
                                                                        250-SIZE 31457280
                                                                        250-AUTH LOGIN CRAM-MD5
                                                                        250-STARTTLS
                                                                        250-8BITMIME
                                                                        250 OK
                                                                        Apr 8, 2021 13:45:20.878261089 CEST49764587192.168.2.45.10.29.169AUTH login aGVsaW9AbHBzaW52ZXN0LmNvbQ==
                                                                        Apr 8, 2021 13:45:20.911379099 CEST587497645.10.29.169192.168.2.4334 UGFzc3dvcmQ6
                                                                        Apr 8, 2021 13:45:20.945014954 CEST587497645.10.29.169192.168.2.4235 Authentication successful
                                                                        Apr 8, 2021 13:45:20.945971012 CEST49764587192.168.2.45.10.29.169MAIL FROM:<helio@lpsinvest.com>
                                                                        Apr 8, 2021 13:45:20.980176926 CEST587497645.10.29.169192.168.2.4250 OK <helio@lpsinvest.com> Sender ok
                                                                        Apr 8, 2021 13:45:20.982388020 CEST49764587192.168.2.45.10.29.169RCPT TO:<helio@lpsinvest.com>
                                                                        Apr 8, 2021 13:45:21.016210079 CEST587497645.10.29.169192.168.2.4250 OK <helio@lpsinvest.com> Recipient ok
                                                                        Apr 8, 2021 13:45:21.016686916 CEST49764587192.168.2.45.10.29.169DATA
                                                                        Apr 8, 2021 13:45:21.099493027 CEST587497645.10.29.169192.168.2.4354 Start mail input; end with <CRLF>.<CRLF>
                                                                        Apr 8, 2021 13:45:21.101574898 CEST49764587192.168.2.45.10.29.169.
                                                                        Apr 8, 2021 13:45:21.134802103 CEST587497645.10.29.169192.168.2.4250 OK

                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: svchost[1].exe PID: 6956 Parent PID: 5944

                                                                        General

                                                                        Start time:13:43:27
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\svchost[1].exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\svchost[1].exe'
                                                                        Imagebase:0x670000
                                                                        File size:908800 bytes
                                                                        MD5 hash:F31B0E7D038ED9D64BE2C6EF94FA5171
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.666294047.0000000003A3C000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.665319943.0000000002A84000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.667204898.0000000003C5A000.00000004.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Analysis Process: svchost[1].exe PID: 5872 Parent PID: 6956

                                                                        General

                                                                        Start time:13:43:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\svchost[1].exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\svchost[1].exe
                                                                        Imagebase:0xad0000
                                                                        File size:908800 bytes
                                                                        MD5 hash:F31B0E7D038ED9D64BE2C6EF94FA5171
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.907761661.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.906186292.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >