Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report WcHO1ZGiIn

Overview

General Information

Sample Name:WcHO1ZGiIn (renamed file extension from none to exe)
Analysis ID:432864
MD5:c7b10eb81f543debd7092703917cf6e5
SHA1:cfa927622c9ffb371aeb7fdbb4c32798ec6fbcdd
SHA256:aa46ed83ddd4f41f0c8eff6a404206cad70a7ecf4dd8754ee305655ffffee4bb
Infos:

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected Matiex Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Beds Obfuscator
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • WcHO1ZGiIn.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\WcHO1ZGiIn.exe' MD5: C7B10EB81F543DEBD7092703917CF6E5)
    • Serwices.exe (PID: 6792 cmdline: 'C:\Users\user\AppData\Local\Temp\Serwices.exe' MD5: CF1048A8362B93B9CDF47260B50D8F37)
      • WerFault.exe (PID: 7032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
    00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
      00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmpJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
          00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.Serwices.exe.43e7f14.13.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
              4.0.Serwices.exe.43e7f14.13.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
                  4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    4.2.Serwices.exe.4475bd0.6.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 43 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeReversingLabs: Detection: 65%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: WcHO1ZGiIn.exeVirustotal: Detection: 41%Perma Link
                      Source: WcHO1ZGiIn.exeReversingLabs: Detection: 58%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: WcHO1ZGiIn.exeJoe Sandbox ML: detected
                      Source: WcHO1ZGiIn.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
                      Source: WcHO1ZGiIn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
                      Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
                      Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownHTTPS traffic detected: 145.14.145.185:443 -> 192.168.2.3:49730 version: TLS 1.0
                      Source: unknownDNS traffic detected: queries for: mmeetalss.000webhostapp.com
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0L
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0c
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://mmeetalss.000webhostapp.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0=
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpString found in binary or memory: http://us-east-1.route-1.000webhost.awex.io
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTz
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comY
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comq
                      Source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.210271161.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.220727614.000000000558D000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.210726833.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comy
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapT
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapp.com
                      Source: WcHO1ZGiIn.exe, WcHO1ZGiIn.exe, 00000000.00000002.1294375558.0000000002661000.00000004.00000001.sdmpString found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe
                      Source: WcHO1ZGiIn.exeString found in binary or memory: https://mmeetalss.000webhostapp.com/Serwices.exe)WindowsFormsApp7.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmp, Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EC014
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EE9F8
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025EE9EA
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_072A3008
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                      Source: WcHO1ZGiIn.exe, 00000000.00000000.208020059.0000000000378000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300324417.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevmware.exeH& vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1300050752.0000000007AA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exeBinary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs WcHO1ZGiIn.exe
                      Source: WcHO1ZGiIn.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: WcHO1ZGiIn.exe, 00000000.00000003.211424744.000000000558D000.00000004.00000001.sdmpBinary or memory string: 0s.slnt
                      Source: classification engineClassification label: mal84.troj.evad.winEXE@4/5@2/2
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6792
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile created: C:\Users\user\AppData\Local\Temp\Serwices.exeJump to behavior
                      Source: WcHO1ZGiIn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: WcHO1ZGiIn.exeVirustotal: Detection: 41%
                      Source: WcHO1ZGiIn.exeReversingLabs: Detection: 58%
                      Source: unknownProcess created: C:\Users\user\Desktop\WcHO1ZGiIn.exe 'C:\Users\user\Desktop\WcHO1ZGiIn.exe'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: WcHO1ZGiIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: WcHO1ZGiIn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: WcHO1ZGiIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: i8C:\Windows\WindowsApp26.pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Serwices.PDB source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb8~d source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: jC:\Users\user\AppData\Local\Temp\WindowsApp26.pdb3 source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb.10 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdbf source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: WindowsFormsApp9.pdb source: WcHO1ZGiIn.exe
                      Source: Binary string: WindowsApp26.pdbsApp26.pdbpdbp26.pdbsApp26.pdb209-4053062332-1002d source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb` source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: WindowsApp26.pdb source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmp, Serwices.exe, Serwices.exe.0.dr
                      Source: Binary string: System.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: symbols\exe\WindowsApp26.pdb) source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: mscorlib.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbO source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdb source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Serwices.PDB1 source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLIST source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: System.Core.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\WindowsApp26.pdbV source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: .pdb source: Serwices.exe, 00000004.00000002.253768306.0000000001339000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\WindowsApp26.pdba source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbz source: Serwices.exe, 00000004.00000000.236155688.0000000001647000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb source: WER46DA.tmp.dmp.7.dr
                      Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: Serwices.exe, 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
                      Source: WcHO1ZGiIn.exeStatic PE information: 0xF65E7472 [Sat Dec 25 02:35:30 2100 UTC]
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_025E1C58 push ebx; iretd
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeCode function: 0_2_072A01A8 push esp; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91688767113
                      Source: WcHO1ZGiIn.exe, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: Serwices.exe.0.dr, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: Serwices.exe.0.dr, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 0.0.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: 0.2.WcHO1ZGiIn.exe.370000.0.unpack, WindowsFormsApp9/kjhgfdghjkhgfh.csHigh entropy of concatenated method names: '.ctor', 'C3p4TV0ir', 'KoroguPyf', 'Dispose', 'AcMTiZDNq', 'NyTprRSGMXYTnKvgym', 'GDjjQJlB5GI1bt2nwq', 'YPmQgitlR69JPJa33v', 'g8n7cActjtqgYgX6WY', 'zno71hO4poZDovBlCN'
                      Source: 4.0.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.2.Serwices.exe.ee0000.0.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.2.Serwices.exe.ee0000.0.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.0.Serwices.exe.ee0000.9.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.9.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: 4.0.Serwices.exe.ee0000.1.unpack, I2Y7vavHC9qgftfSCu/nXZxglXV1rOyshs1RQ.csHigh entropy of concatenated method names: '.cctor', 'h8q52ULNx', 'gRGNERdmx', 'W9VGOWgSf3458mrljM', 'fjFOO4LMo2rdANUaD9', 'CrZrhrA4pwTrds12Rt', 'gImJSuIU3Zaex5Tynd', 'y12M5Pn7nUcLhekjTd', 'Ey7Nt5tk0U9hQnMwIr', 'CNZaQm1cuhuOG4W8K3'
                      Source: 4.0.Serwices.exe.ee0000.1.unpack, PM25fBOq7Pf7PhkGtX/woTy5UlLKpvAdBi2Mo.csHigh entropy of concatenated method names: 'lnBjXs55MCGCF', '.ctor', '.cctor', 'YTctZ6qA3lZpHQSQiVo', 'caOwMsqIyuMkcktLb6j', 'X2bRVEqg9CkrpLjR9rZ', 'EfXnCKqL5mum5G1OiFu', 'mAwFd2qHAPqeKNCGgSF', 'sQl1KSq4rePBn8xeN5h', 'KWpNfuqnbeU6b7D5RT1'
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile created: C:\Users\user\AppData\Local\Temp\Serwices.exeJump to dropped file
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exe TID: 6796Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeThread delayed: delay time: 30000
                      Source: Serwices.exe.0.drBinary or memory string: CompanyNameVMware, Inc.P&
                      Source: Serwices.exe.0.drBinary or memory string: OriginalFilenamevmware.exeH&
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstmKRo
                      Source: Serwices.exe.0.drBinary or memory string: ProductNameVMware WorkstationP,
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Serwices.exeBinary or memory string: VMware, Inc.
                      Source: Serwices.exeBinary or memory string: vmware.exe
                      Source: Report.wer.7.drBinary or memory string: AppName=VMware Workstation
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1292914765.00000000009D2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
                      Source: Serwices.exe.0.drBinary or memory string: FileDescriptionVMware WorkstationL,
                      Source: Serwices.exe.0.drBinary or memory string: 1998-2021 VMware, Inc.@
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Serwices.exeBinary or memory string: 1998-2021 VMware, Inc.
                      Source: Report.wer.7.drBinary or memory string: OriginalFilename=vmware.exe
                      Source: WER4AC4.tmp.xml.7.drBinary or memory string: <arg nm="apporiginalfilename" val="vmware.exe" />
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1292914765.00000000009D2000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1294603294.00000000026F1000.00000004.00000001.sdmpBinary or memory string: ProductNameVMware WorkstZ|L}X
                      Source: Serwices.exeBinary or memory string: VMware Workstation
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1299162550.0000000006B40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeProcess created: C:\Users\user\AppData\Local\Temp\Serwices.exe 'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: WcHO1ZGiIn.exe, 00000000.00000002.1293573998.00000000010D0000.00000002.00000001.sdmp, Serwices.exe, 00000004.00000000.236355857.0000000001D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Users\user\Desktop\WcHO1ZGiIn.exe VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Serwices.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Serwices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\WcHO1ZGiIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Yara detected Matiex KeyloggerShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Yara detected Matiex KeyloggerShow sources
                      Source: Yara matchFile source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Serwices.exe PID: 6792, type: MEMORY
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.43e7f14.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Serwices.exe.4496274.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43c7870.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4475bd0.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.4496274.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.Serwices.exe.43e7f14.5.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion31LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      WcHO1ZGiIn.exe41%VirustotalBrowse
                      WcHO1ZGiIn.exe59%ReversingLabsByteCode-MSIL.Trojan.Fsysna
                      WcHO1ZGiIn.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\Serwices.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Serwices.exe66%ReversingLabsByteCode-MSIL.Spyware.Noon

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      us-east-1.route-1.000webhost.awex.io2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://status.rapidssl.com0=0%Avira URL Cloudsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.comy0%Avira URL Cloudsafe
                      http://www.carterandcone.comY0%Avira URL Cloudsafe
                      http://www.carterandcone.comq0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fonts.comW0%Avira URL Cloudsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      https://mmeetalss.000webhostapT0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://us-east-1.route-1.000webhost.awex.io0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.carterandcone.comTz0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us-east-1.route-1.000webhost.awex.io
                      		145.14.145.185
                      		truefalseunknown
                      mmeetalss.000webhostapp.com
                      		unknown
                      		unknownfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://status.rapidssl.com0=WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://mmeetalss.000webhostapp.comWcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                		high
                                http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0LWcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comeWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/?WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comyWcHO1ZGiIn.exe, 00000000.00000003.210726833.000000000556B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comYWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comqWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.tiro.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comWWcHO1ZGiIn.exe, 00000000.00000003.210271161.000000000558E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.come.comWcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://mmeetalss.000webhostapp.comWcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/cabarga.htmlNWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.monotype.WcHO1ZGiIn.exe, 00000000.00000003.220727614.000000000558D000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://mmeetalss.000webhostapTWcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.fontbureau.commWcHO1ZGiIn.exe, 00000000.00000002.1297765767.0000000005550000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://mmeetalss.000webhostapp.com/Serwices.exe)WindowsFormsApp7.exeWcHO1ZGiIn.exefalse
                                                		high
                                                http://us-east-1.route-1.000webhost.awex.ioWcHO1ZGiIn.exe, 00000000.00000002.1294550425.00000000026D4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://mmeetalss.000webhostapp.com/Serwices.exeWcHO1ZGiIn.exe, WcHO1ZGiIn.exe, 00000000.00000002.1294375558.0000000002661000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers8WcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comTzWcHO1ZGiIn.exe, 00000000.00000003.211918640.000000000558E000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fonts.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0WcHO1ZGiIn.exe, 00000000.00000002.1294447076.0000000002695000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.zhongyicts.com.cnWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWcHO1ZGiIn.exe, 00000000.00000002.1294517377.00000000026BE000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sakkal.comWcHO1ZGiIn.exe, 00000000.00000002.1298857454.0000000006762000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          145.14.145.185
                                                          		us-east-1.route-1.000webhost.awex.ioNetherlands
                                                          		204915AWEXUSfalse

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                          Analysis ID:432864
                                                          Start date:10.06.2021
                                                          Start time:21:13:20
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 14m 57s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:WcHO1ZGiIn (renamed file extension from none to exe)
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:40
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal84.troj.evad.winEXE@4/5@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HDC Information:
                                                          • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                                          • Quality average: 29.4%
                                                          • Quality standard deviation: 39.8%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 93.184.220.29, 168.61.161.212, 184.30.21.144, 104.43.193.48, 52.255.188.83, 23.57.80.111, 20.82.209.183, 51.103.5.186, 93.184.221.240, 20.54.26.129, 92.122.213.247, 92.122.213.194
                                                          • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                          • Execution Graph export aborted for target Serwices.exe, PID 6792 because there are no executed function
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          21:14:22API Interceptor1x Sleep call for process: WcHO1ZGiIn.exe modified
                                                          21:14:23API Interceptor2x Sleep call for process: Serwices.exe modified
                                                          21:14:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          145.14.145.185https://bit.ly/2Bex4ksGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            us-east-1.route-1.000webhost.awex.ioPURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • 145.14.144.45
                                                            01_extracted.exeGet hashmaliciousBrowse
                                                            • 145.14.144.111
                                                            OyVPRUTe0s.exeGet hashmaliciousBrowse
                                                            • 145.14.144.197
                                                            hfrEZuBd5B.exeGet hashmaliciousBrowse
                                                            • 145.14.144.156
                                                            1Z4191ecDy.exeGet hashmaliciousBrowse
                                                            • 145.14.144.12
                                                            j6RwLGBzlz.exeGet hashmaliciousBrowse
                                                            • 145.14.144.66
                                                            sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                            • 145.14.144.32
                                                            WAnYq4Yh0Z.exeGet hashmaliciousBrowse
                                                            • 145.14.144.64
                                                            Z4uLK26mIK.exeGet hashmaliciousBrowse
                                                            • 145.14.145.148
                                                            nb3WueUqUD.exeGet hashmaliciousBrowse
                                                            • 145.14.144.105
                                                            04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exeGet hashmaliciousBrowse
                                                            • 145.14.144.143
                                                            04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exeGet hashmaliciousBrowse
                                                            • 145.14.144.2
                                                            6PKQHgSfco.exeGet hashmaliciousBrowse
                                                            • 145.14.144.105
                                                            OneNote.htmlGet hashmaliciousBrowse
                                                            • 145.14.144.102
                                                            ZKUR81PQIM.exeGet hashmaliciousBrowse
                                                            • 145.14.144.86
                                                            darkin.exeGet hashmaliciousBrowse
                                                            • 145.14.144.241
                                                            2021_03_09.exeGet hashmaliciousBrowse
                                                            • 145.14.144.250
                                                            dfbzXONkPM.exeGet hashmaliciousBrowse
                                                            • 145.14.145.225
                                                            0wTbI1V07f.exeGet hashmaliciousBrowse
                                                            • 145.14.144.210
                                                            i795zXB64c.exeGet hashmaliciousBrowse
                                                            • 145.14.145.83

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            AWEXUSAll Details.exeGet hashmaliciousBrowse
                                                            • 145.14.144.54
                                                            All the Documents and Details.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • 145.14.144.45
                                                            01_extracted.exeGet hashmaliciousBrowse
                                                            • 145.14.144.111
                                                            Additional documents required.pdf.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            Kabyria El Arab-14326587.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            Kabyria El Arab-14326587.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            FedEx Receipt with Reference Code.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            OyVPRUTe0s.exeGet hashmaliciousBrowse
                                                            • 145.14.144.197
                                                            hfrEZuBd5B.exeGet hashmaliciousBrowse
                                                            • 145.14.144.156
                                                            1Z4191ecDy.exeGet hashmaliciousBrowse
                                                            • 145.14.144.12
                                                            j6RwLGBzlz.exeGet hashmaliciousBrowse
                                                            • 145.14.144.66
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            A018379D343600DAB5B728E46D2EE4E12D3853837FCF1.exeGet hashmaliciousBrowse
                                                            • 145.14.144.210
                                                            Abusive email letter from your account.exeGet hashmaliciousBrowse
                                                            • 145.14.145.180
                                                            sample products 1,2,&,4.exeGet hashmaliciousBrowse
                                                            • 145.14.144.32
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.145.177
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.144.149
                                                            Scan copy of said documents.exeGet hashmaliciousBrowse
                                                            • 145.14.144.209
                                                            Additional documents.exeGet hashmaliciousBrowse
                                                            • 145.14.145.177

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            54328bd36c14bd82ddaa0c04b25ed9ad3c2pU82NQD.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            RFQ-sib.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SecuriteInfo.com.Trojan.PackedNET.825.24532.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            090049000009000.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SecuriteInfo.com.Trojan.PackedNET.831.4134.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SWIFT COMMERCIAL DUTY 0218J.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            b7cgnOpObK.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Invoice 8-6-2021.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            090009000000090.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Urgent Contract Order GH78566484,pdf.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Invoice_OS169ENG 000003893148.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            00404000004.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            40900900090000.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            INVO090090202.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            Yl6482CO6U.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            ZmZvKByoew.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            V2GC02n03l.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185
                                                            SecuriteInfo.com.Trojan.PackedNET.832.3222.exeGet hashmaliciousBrowse
                                                            • 145.14.145.185

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Serwices.exe_93af22b7c6936c1e8864515da72a114c413263e5_cb538d12_1b15506f\Report.wer
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):12010
                                                            Entropy (8bit):3.774565564979862
                                                            Encrypted:false
                                                            SSDEEP:96:cKBY1blUOaHoCKA+HxyrFpXIQcQvc6QcEDMcw3D7+BHUHZ0ownOgtYsH5Ef5BAKD:365CONJkHBUZMXCaK5/u7sWS274ItS8
                                                            MD5:5DAA7ECC705CD7DFB9CBF018ECDE97B1
                                                            SHA1:F46A6FB75438243DAE15455B18483478ED84B9A8
                                                            SHA-256:225C88C1C83DA91E88F36EBAA843756AF01AB7583A884E437AD7E8A43CD4AA24
                                                            SHA-512:BFDD484930711CB1FFB9F533878EC308CB63CFAEFB09299EE6DE2FCCCC91DCDF0A252F4A83E66AF4CDEF94279329AFFD7B7448E0106FD91E42871AB28A469E5C
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.7.8.5.8.4.7.0.6.6.5.2.8.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.7.8.5.8.4.7.1.8.2.1.5.2.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.6.e.8.2.2.1.-.9.7.0.4.-.4.2.6.6.-.8.5.0.d.-.6.4.8.0.0.5.3.6.0.1.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.0.5.5.b.f.5.-.c.6.1.1.-.4.2.d.3.-.a.7.7.5.-.b.e.9.5.d.a.e.b.e.2.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.r.w.i.c.e.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.m.w.a.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.8.-.0.0.0.1.-.0.0.1.7.-.1.c.1.8.-.4.9.4.2.7.8.5.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.9.5.9.c.1.5.1.2.c.7.6.9.4.f.9.f.a.b.8.4.8.8.f.2.9.4.7.5.e.9.2.0.0.0.0.0.9.0.4.!.0.0.0.0.6.7.f.2.3.a.5.9.9.e.4.a.5.4.a.2.f.3.c.e.1.2.1.9.9.8.4.4.5.e.1.2.c.9.7.b.a.
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER46DA.tmp.dmp
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 14 streams, Fri Jun 11 04:14:31 2021, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):173962
                                                            Entropy (8bit):4.082057247202298
                                                            Encrypted:false
                                                            SSDEEP:3072:wZ8M019jd+pUuKlaxaA9gIOgF5EJ0wUCgUA4uEdE4S:kR01CpU/G9RpDEJ/TjF52
                                                            MD5:9C8F47B83F268474E818DA5ACE982FF2
                                                            SHA1:F41755213227525E94F452F2B81FDC930C451DE1
                                                            SHA-256:F0325AC74642D469244F61D2547BDB6415D4512A5ADB731A0EBD91CAA9E7CE20
                                                            SHA-512:99C94E3F330598D7FDAFBC77F387A5817D3A1FE0833E46A3C52797F893A7D701A86C523BE2C91490D32F8E24458E1E147C7DA9714129A9036E8B69B8B30B32D7
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: MDMP....... .......'..`...................U...........B..............GenuineIntelW...........T..............`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A27.tmp.WERInternalMetadata.xml
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8426
                                                            Entropy (8bit):3.691768294096698
                                                            Encrypted:false
                                                            SSDEEP:192:Rrl7r3GLNicd6f6Y3R66EgmfZyZSACpra89be2sf0Uqm:RrlsNiG6f6Ys6EgmfsZSLeVfh
                                                            MD5:FB0677DEBD76EB2BCEAF2ED1178995DF
                                                            SHA1:E6666F89FE4D01824C3CDF32171B0CC0E8E9E4E7
                                                            SHA-256:11099575EAA1A33756986BF3EC35E8D712AF52A2F76D70540538CB6317738AF4
                                                            SHA-512:CDA4FDBBB519F41A5F70C43BF4AC8113387E39D83B3F023651C6BE5CD37768E1ACFA3D4BE9F9ACE10B930DA607F70BE4C749B1B089A5EA591EBC2180367D50EA
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.9.2.<./.P.i.d.>.......
                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AC4.tmp.xml
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4769
                                                            Entropy (8bit):4.467016938878392
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwSD8zsDQ+JgtWI96cWSC8BV8fm8M4JRuJ7Z9prFf3+q8vvJ7Z9p7QbLCtd:uITfDndVSNYJmHpB3KRHp74LCtd
                                                            MD5:99C00274635D1060D1F6D7DBDD56940B
                                                            SHA1:6264B67C73AAC31E63B86E0820786C1C81A13F1D
                                                            SHA-256:3A3E92B8E574BCB6EF773CD966D196E4789A28E55019ED47689589263260A8A8
                                                            SHA-512:4ADAFA97E98D203309DD16FE5D11C94AC71EAA51D5CD7F9609F92419E363A5099F732B1F91AD015995ED2C4D1D7F4443E4CAE8849E59164DC6C157529DA06281
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1028965" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                            C:\Users\user\AppData\Local\Temp\Serwices.exe
                                                            Process:C:\Users\user\Desktop\WcHO1ZGiIn.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):795648
                                                            Entropy (8bit):7.913350326783711
                                                            Encrypted:false
                                                            SSDEEP:12288:wZJ5gK0I2omOHu1/CQ8tl//tR05iIm5Cqz7cQuBcTex:s6KlifUQ8bHtUm8qz7IBR
                                                            MD5:CF1048A8362B93B9CDF47260B50D8F37
                                                            SHA1:67F23A599E4A54A2F3CE121998445E12C97BA1BA
                                                            SHA-256:CB9CD8363620446C577396DD11CA16CD0AC377534C7A708CAC3F94CE6D898279
                                                            SHA-512:600B9B617BB409D3C00305CBF79E0D3E9DE5101C9A5BF5417C3FEA79378437D5837F0D2E2BC64F4098C584ADE1438B0A9E4E486E854870E5B91CFB584F2F3258
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                            Reputation:low
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.................P..............9... ...@....@.. ....................................@..................................8..K....@.......................`.......8............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H........@...:......D...L{..Z............................................0..@.......+.(.:59(....8.....(.... .....9....&8....8........E........8....*:+.(..y\.(....*.B+.(6.j>~.......*...6+.(..!9~....*...0..B.......+.(._d(....8......(.... .....9....&8....8........E........8.....*..:+.(..f0.(....*.B+.(e..7~.......*...6+.(.LrV~....*...0..........+.((/4T ........8........E....f...+...u...........8a...*(.... .....:....&8....s.........8....s......... .....:....&8....s......... .....

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):5.272353284477175
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:WcHO1ZGiIn.exe
                                                            File size:19456
                                                            MD5:c7b10eb81f543debd7092703917cf6e5
                                                            SHA1:cfa927622c9ffb371aeb7fdbb4c32798ec6fbcdd
                                                            SHA256:aa46ed83ddd4f41f0c8eff6a404206cad70a7ecf4dd8754ee305655ffffee4bb
                                                            SHA512:6aa867a242f0fdec77310e18ef09796ce3f56b6b60afd801f33148abe2c5d1ff0bac7824b6133ab7b8b7d479f1d7781e1ac8b30c29aea98562f93d8e83dbf39f
                                                            SSDEEP:384:IuVlhGV5r4e8H+3LgLzLrnUZMctVdLtLCmL9qJRRYff9vwEG9/XwJwq6uJfq2GSq:IuI5r4VeknXctRCy4RRR2GzNigP
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rt^...............0..B...........a... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00828e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x40611e
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0xF65E7472 [Sat Dec 25 02:35:30 2100 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x60d00x4b.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x5e8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x60820x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x41240x4200False0.441761363636data5.48630335217IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x80000x5e80x600False0.42578125data4.1909894425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0x80a00x35cdata
                                                            RT_MANIFEST0x83fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2021
                                                            Assembly Version1.0.0.0
                                                            InternalNameWindowsFormsApp9.exe
                                                            FileVersion1.0.0.0
                                                            CompanyName
                                                            LegalTrademarks
                                                            Comments
                                                            ProductNameWindowsFormsApp9
                                                            ProductVersion1.0.0.0
                                                            FileDescriptionWindowsFormsApp9
                                                            OriginalFilenameWindowsFormsApp9.exe

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jun 10, 2021 21:14:19.525855064 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.681579113 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.681726933 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.713035107 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.868745089 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870215893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870240927 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870256901 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870270967 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870285988 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:19.870363951 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:19.875194073 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.032926083 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.086909056 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246254921 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246299982 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246337891 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246366978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246402025 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246417046 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246442080 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246442080 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246480942 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246488094 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246527910 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246570110 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246582985 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.246608019 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.246655941 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402234077 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402275085 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402309895 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402326107 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402345896 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402381897 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402394056 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402420044 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402462959 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402463913 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402503014 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402538061 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402549028 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402573109 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402607918 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402618885 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402643919 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402678967 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402688980 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402714014 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402755022 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402757883 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402797937 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402831078 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402841091 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402865887 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402901888 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402909040 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.402937889 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.402981043 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558526993 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558551073 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558572054 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558589935 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558604956 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558608055 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558621883 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558629990 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558641911 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558657885 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558659077 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558686018 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558689117 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558698893 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558702946 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558712959 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558726072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558738947 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558758020 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558774948 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558792114 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558808088 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558820963 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558825970 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558847904 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558850050 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558866978 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558883905 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558901072 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558902025 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558917999 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558933973 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558937073 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558952093 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558958054 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.558969975 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558990002 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.558995008 CEST49730443192.168.2.3145.14.145.185
                                                            Jun 10, 2021 21:14:20.559009075 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559025049 CEST44349730145.14.145.185192.168.2.3
                                                            Jun 10, 2021 21:14:20.559031963 CEST49730443192.168.2.3145.14.145.185

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jun 10, 2021 21:14:04.051471949 CEST6511053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:04.106400967 CEST53651108.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:04.893229961 CEST5836153192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:04.943209887 CEST53583618.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:05.265923023 CEST6349253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:05.329279900 CEST53634928.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:05.830352068 CEST6083153192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:05.883260965 CEST53608318.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:06.741235018 CEST6010053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:06.794199944 CEST53601008.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:08.078217030 CEST5319553192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:08.136753082 CEST53531958.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:09.372401953 CEST5014153192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:09.422800064 CEST53501418.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:10.403006077 CEST5302353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:10.461813927 CEST53530238.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:11.502954960 CEST4956353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:11.564218998 CEST53495638.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:13.270251989 CEST5135253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:13.320274115 CEST53513528.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:14.110471964 CEST5934953192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:14.160654068 CEST53593498.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:15.065490007 CEST5708453192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:15.116055012 CEST53570848.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:15.917059898 CEST5882353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:15.968802929 CEST53588238.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:17.128721952 CEST5756853192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:17.180223942 CEST53575688.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:18.163235903 CEST5054053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:18.216157913 CEST53505408.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:19.231982946 CEST5436653192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:19.282469988 CEST53543668.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:19.337354898 CEST5303453192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:19.411669016 CEST53530348.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:19.430387020 CEST5776253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:19.504928112 CEST53577628.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:20.184261084 CEST5543553192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:20.250989914 CEST53554358.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:21.093998909 CEST5071353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:21.153203011 CEST53507138.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:22.254842997 CEST5613253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:22.314357996 CEST53561328.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:23.148286104 CEST5898753192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:23.201273918 CEST53589878.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:31.792181015 CEST5657953192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:31.843832970 CEST53565798.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:38.072204113 CEST6063353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:38.194169998 CEST53606338.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:14:41.569597960 CEST6129253192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:14:41.639436960 CEST53612928.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:00.065572023 CEST6361953192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:00.119738102 CEST53636198.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:00.299175024 CEST6493853192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:00.350433111 CEST53649388.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:00.458833933 CEST6194653192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:00.511607885 CEST53619468.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:13.783803940 CEST6491053192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:13.862616062 CEST53649108.8.8.8192.168.2.3
                                                            Jun 10, 2021 21:15:15.366724968 CEST5212353192.168.2.38.8.8.8
                                                            Jun 10, 2021 21:15:15.429522991 CEST53521238.8.8.8192.168.2.3

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Jun 10, 2021 21:14:19.337354898 CEST192.168.2.38.8.8.80xf17aStandard query (0)mmeetalss.000webhostapp.comA (IP address)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.430387020 CEST192.168.2.38.8.8.80xe7c4Standard query (0)mmeetalss.000webhostapp.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Jun 10, 2021 21:14:19.411669016 CEST8.8.8.8192.168.2.30xf17aNo error (0)mmeetalss.000webhostapp.comus-east-1.route-1.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.411669016 CEST8.8.8.8192.168.2.30xf17aNo error (0)us-east-1.route-1.000webhost.awex.io145.14.145.185A (IP address)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.504928112 CEST8.8.8.8192.168.2.30xe7c4No error (0)mmeetalss.000webhostapp.comus-east-1.route-1.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                            Jun 10, 2021 21:14:19.504928112 CEST8.8.8.8192.168.2.30xe7c4No error (0)us-east-1.route-1.000webhost.awex.io145.14.144.201A (IP address)IN (0x0001)

                                                            HTTPS Packets

                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                            Jun 10, 2021 21:14:19.870256901 CEST145.14.145.185443192.168.2.349730CN=*.000webhostapp.com CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Jun 11 02:00:00 CEST 2019 Mon Nov 06 13:23:33 CET 2017 Fri Nov 10 01:00:00 CET 2006Sat Jul 10 14:00:00 CEST 2021 Sat Nov 06 13:23:33 CET 2027 Mon Nov 10 01:00:00 CET 2031769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                            CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 06 13:23:33 CET 2017Sat Nov 06 13:23:33 CET 2027
                                                            CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Nov 10 01:00:00 CET 2006Mon Nov 10 01:00:00 CET 2031

                                                            Code Manipulations

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: WcHO1ZGiIn.exe PID: 6304 Parent PID: 5824

                                                            General

                                                            Start time:21:14:11
                                                            Start date:10/06/2021
                                                            Path:C:\Users\user\Desktop\WcHO1ZGiIn.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\WcHO1ZGiIn.exe'
                                                            Imagebase:0x370000
                                                            File size:19456 bytes
                                                            MD5 hash:C7B10EB81F543DEBD7092703917CF6E5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:low

                                                            Analysis Process: Serwices.exe PID: 6792 Parent PID: 6304

                                                            General

                                                            Start time:21:14:23
                                                            Start date:10/06/2021
                                                            Path:C:\Users\user\AppData\Local\Temp\Serwices.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\AppData\Local\Temp\Serwices.exe'
                                                            Imagebase:0xee0000
                                                            File size:795648 bytes
                                                            MD5 hash:CF1048A8362B93B9CDF47260B50D8F37
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.254454317.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.254827606.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.236597835.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.241943402.0000000004475000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.241561167.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Matiex, Description: Yara detected Matiex Keylogger, Source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.236472239.0000000004319000.00000004.00000001.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 66%, ReversingLabs
                                                            Reputation:low

                                                            Analysis Process: WerFault.exe PID: 7032 Parent PID: 6792

                                                            General

                                                            Start time:21:14:29
                                                            Start date:10/06/2021
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 852
                                                            Imagebase:0x1110000
                                                            File size:434592 bytes
                                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:high

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >