Analysis Report WcHO1ZGiIn

Overview

General Information

Sample Name: WcHO1ZGiIn (renamed file extension from none to exe)
Analysis ID: 432864
MD5: c7b10eb81f543debd7092703917cf6e5
SHA1: cfa927622c9ffb371aeb7fdbb4c32798ec6fbcdd
SHA256: aa46ed83ddd4f41f0c8eff6a404206cad70a7ecf4dd8754ee305655ffffee4bb
Infos:

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected Matiex Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Beds Obfuscator
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: WcHO1ZGiIn.exe Virustotal: Detection: 41% Perma Link
Source: WcHO1ZGiIn.exe ReversingLabs: Detection: 58%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: WcHO1ZGiIn.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: WcHO1ZGiIn.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
Source: WcHO1ZGiIn.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
Source: unknown DNS traffic detected: queries for: mmeetalss.000webhostapp.com
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp String found in binary or memory: http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0L
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0c
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmp String found in binary or memory: http://mmeetalss.000webhostapp.com
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp String found in binary or memory: http://status.rapidssl.com0=
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmp String found in binary or memory: http://us-east-1.route-1.000webhost.awex.io
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTz
Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comY
Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.come
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comq
Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.come.com
Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: WcHO1ZGiIn.exe, 00000000.00000003.210271161.000000000558E000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comW
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WcHO1ZGiIn.exe, 00000000.00000003.220727614.000000000558D000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: WcHO1ZGiIn.exe, 00000000.00000003.210726833.000000000556B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comy
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmp String found in binary or memory: https://mmeetalss.000webhostapT
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmp String found in binary or memory: https://mmeetalss.000webhostapp.com
Source: WcHO1ZGiIn.exe, WcHO1ZGiIn.exe, 00000000.00000002.1294375558.0000000002661000.00000004.00000001.sdmp String found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe
Source: WcHO1ZGiIn.exe String found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe)WindowsFormsApp7.exe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp, Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Code function: 0_2_025EC014 0_2_025EC014
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Code function: 0_2_025EE9F8 0_2_025EE9F8
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Code function: 0_2_025EE9EA 0_2_025EE9EA
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Code function: 0_2_072A3008 0_2_072A3008
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
Sample file is different than original file name gathered from version info
Source: WcHO1ZGiIn.exe, 00000000.00000000.208020059.0000000000378000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs WcHO1ZGiIn.exe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WcHO1ZGiIn.exe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamevmware.exeH& vs WcHO1ZGiIn.exe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs WcHO1ZGiIn.exe
Source: WcHO1ZGiIn.exe, 00000000.00000002.1300050752.0000000007AA0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs WcHO1ZGiIn.exe
Source: WcHO1ZGiIn.exe Binary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
Uses 32bit PE files
Source: WcHO1ZGiIn.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: WcHO1ZGiIn.exe, 00000000.00000003.211424744.000000000558D000.00000004.00000001.sdmp Binary or memory string: 0s.slnt
Source: classification engine Classification label: mal84.troj.evad.winEXE@4/5@2/2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6792
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File created: C:\Users\user\AppData\Local\Temp\Serwices.exe Jump to behavior
Source: WcHO1ZGiIn.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: WcHO1ZGiIn.exe Virustotal: Detection: 41%
Source: WcHO1ZGiIn.exe ReversingLabs: Detection: 58%
Source: unknown Process created: C:\Users\user\Desktop\WcHO1ZGiIn.exe 'C:\Users\user\Desktop\WcHO1ZGiIn.exe'
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe'
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe' Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: WcHO1ZGiIn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WcHO1ZGiIn.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: WcHO1ZGiIn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: WcHO1ZGiIn.exe Static PE information: 0xF65E7472 [Sat Dec 25 02:35:30 2100 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Code function: 0_2_025E1C58 push ebx; iretd 0_2_025E1C7A
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Code function: 0_2_072A01A8 push esp; ret 0_2_072A01C1
Source: initial sample Static PE information: section name: .text entropy: 7.91688767113
Source: WcHO1ZGiIn.exe, WindowsFormsApp9/kjhgfdghjkhgfh.cs High entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
Source: Serwices.exe.0.dr, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.cs High entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
Source: Serwices.exe.0.dr, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.cs High entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
Source: 0.0.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.cs High entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
Source: 0.2.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.cs High entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
Source: 4.0.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.cs High entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
Source: 4.0.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.cs High entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
Source: 4.2.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.cs High entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
Source: 4.2.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.cs High entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
Source: 4.0.Serwices.exe.ee0000.9.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.cs High entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
Source: 4.0.Serwices.exe.ee0000.9.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.cs High entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
Source: 4.0.Serwices.exe.ee0000.1.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.cs High entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
Source: 4.0.Serwices.exe.ee0000.1.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.cs High entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File created: C:\Users\user\AppData\Local\Temp\Serwices.exe Jump to dropped file
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Thread delayed: delay time: 30000 Jump to behavior
Source: Serwices.exe.0.dr Binary or memory string: CompanyNameVMware, Inc.P&
Source: Serwices.exe.0.dr Binary or memory string: OriginalFilenamevmware.exeH&
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp Binary or memory string: ProductNameVMware WorkstmKRo
Source: Serwices.exe.0.dr Binary or memory string: ProductNameVMware WorkstationP,
Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Serwices.exe Binary or memory string: VMware, Inc.
Source: Serwices.exe Binary or memory string: vmware.exe
Source: Report.wer.7.dr Binary or memory string: AppName=VMware Workstation
Source: WcHO1ZGiIn.exe, 00000000.00000002.1292914765.00000000009D2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: Serwices.exe.0.dr Binary or memory string: FileDescriptionVMware WorkstationL,
Source: Serwices.exe.0.dr Binary or memory string: 1998-2021 VMware, Inc.@
Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Serwices.exe Binary or memory string: 1998-2021 VMware, Inc.
Source: Report.wer.7.dr Binary or memory string: OriginalFilename=vmware.exe
Source: WER4AC4.tmp.xml.7.dr Binary or memory string: <arg nm="apporiginalfilename" val="vmware.exe" />
Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WcHO1ZGiIn.exe, 00000000.00000002.1292914765.00000000009D2000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp Binary or memory string: ProductNameVMware WorkstZ|L}X
Source: Serwices.exe Binary or memory string: VMware Workstation
Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Process created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe' Jump to behavior
Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Users\user\Desktop\WcHO1ZGiIn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Serwices.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Serwices.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WcHO1ZGiIn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432864 Sample: WcHO1ZGiIn Startdate: 10/06/2021 Architecture: WINDOWS Score: 84 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected AgentTesla 2->26 28 Yara detected Matiex Keylogger 2->28 30 2 other signatures 2->30 7 WcHO1ZGiIn.exe 15 4 2->7         started        process3 dnsIp4 18 us-east-1.route-1.000webhost.awex.io 145.14.145.185, 443, 49730 AWEXUS Netherlands 7->18 20 192.168.2.1 unknown unknown 7->20 22 mmeetalss.000webhostapp.com 7->22 16 C:\Users\user\AppData\Local\...\Serwices.exe, PE32 7->16 dropped 11 Serwices.exe 7->11         started        file5 process6 signatures7 32 Multi AV Scanner detection for dropped file 11->32 34 Machine Learning detection for dropped file 11->34 14 WerFault.exe 23 9 11->14         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
145.14.145.185
 us-east-1.route-1.000webhost.awex.io Netherlands
204915 AWEXUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
us-east-1.route-1.000webhost.awex.io 145.14.145.185 true
mmeetalss.000webhostapp.com unknown unknown