Loading ...

Play interactive tourEdit tour

Analysis Report WcHO1ZGiIn

Overview

General Information

Sample Name:WcHO1ZGiIn (renamed file extension from none to exe)
Analysis ID:432864
MD5:c7b10eb81f543debd7092703917cf6e5
SHA1:cfa927622c9ffb371aeb7fdbb4c32798ec6fbcdd
SHA256:aa46ed83ddd4f41f0c8eff6a404206cad70a7ecf4dd8754ee305655ffffee4bb
Infos:

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected Matiex Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Beds Obfuscator
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • WcHO1ZGiIn.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\WcHO1ZGiIn.exe' MD5: C7B10EB81F543DEBD7092703917CF6E5)
    • Serwices.exe (PID: 6792 cmdline: 'C:\Users\user\AppData\Local\Temp\Serwices.exe' MD5: CF1048A8362B93B9CDF47260B50D8F37)
      • WerFault.exe (PID: 7032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
    00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
      00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
          00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.Serwices.exe.43e7f14.13.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
              4.0.Serwices.exe.43e7f14.13.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
                  4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 43 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeReversingLabs: Detection: 65%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: WcHO1ZGiIn.exeVirustotal: Detection: 41%Perma Link
                      Source: WcHO1ZGiIn.exeReversingLabs: Detection: 58%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: WcHO1ZGiIn.exeJoe Sandbox ML: detected
                      Source: WcHO1ZGiIn.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
                      Source: WcHO1ZGiIn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
                      Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
                      Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownHTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
                      Source: unknownDNS traffic detected: queries for: mmeetalss.000webhostapp.com
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0L
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0c
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://mmeetalss.000webhostapp.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0=
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://us-east-1.route-1.000webhost.awex.io
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTz
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comY
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comq
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.210271161.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.220727614.000000000558D000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.210726833.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comy
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapT
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapp.com
                      Source: WcHO1ZGiIn.exe, WcHO1ZGiIn.exe, 00000000.00000002.1294375558.0000000002661000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe
                      Source: WcHO1ZGiIn.exeString found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe)WindowsFormsApp7.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp, Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EC0140_2_025EC014
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EE9F80_2_025EE9F8
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EE9EA0_2_025EE9EA
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_072A30080_2_072A3008
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                      Source: WcHO1ZGiIn.exe, 00000000.00000000.208020059.0000000000378000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevmware.exeH& vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300050752.0000000007AA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exeBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211424744.000000000558D000.00000004.00000001.sdmpBinary or memory string: 0s.slnt
                      Source: classification engineClassification label: mal84.troj.evad.winEXE@4/5@2/2
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6792
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile created: C:\Users\user\AppData\Local\Temp\Serwices.exeJump to behavior
                      Source: WcHO1ZGiIn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: WcHO1ZGiIn.exeVirustotal: Detection: 41%
                      Source: WcHO1ZGiIn.exeReversingLabs: Detection: 58%
                      Source: unknownProcess created: C:\Users\user\Desktop\WcHO1ZGiIn.exe 'C:\Users\user\Desktop\WcHO1ZGiIn.exe'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: WcHO1ZGiIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: WcHO1ZGiIn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: WcHO1ZGiIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
                      Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
                      Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
                      Source: WcHO1ZGiIn.exeStatic PE information: 0xF65E7472 [Sat Dec 25 02:35:30 2100 UTC]
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025E1C58 push ebx; iretd 0_2_025E1C7A
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_072A01A8 push esp; ret 0_2_072A01C1
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91688767113
                      Source: WcHO1ZGiIn.exe, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: Serwices.exe.0.dr, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: Serwices.exe.0.dr, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 0.0.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: 0.2.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: 4.0.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.2.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.2.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.0.Serwices.exe.ee0000.9.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.9.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.0.Serwices.exe.ee0000.1.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.1.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile created: C:\Users\user\AppData\Local\Temp\Serwices.exeJump to dropped file
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeThread delayed: delay time: 30000Jump to behavior
                      Source: Serwices.exe.0.drBinary or memory string: CompanyNameVMware, Inc.P&
                      Source: Serwices.exe.0.drBinary or memory string: OriginalFilenamevmware.exeH&
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstmKRo
                      Source: Serwices.exe.0.dr