Windows Analysis Report FCL ABONOF2201.exe

Overview

General Information

Sample Name:	FCL ABONOF2201.exe
Analysis ID:	452735
MD5:	8df4b43e11c352b502cea6a13e220468
SHA1:	e8e6745a74fec6d5ea7c0ae5fce8e775689cacef
SHA256:	86324507b99eaddd23e1c94340269fc33d8a9cf64c6df71822d4b0cf59078535
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 17.2.FCL ABONOF2201.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@aereks.si", "Password": "10Jure03", "Host": "mail.aereks.si"}

Multi AV Scanner detection for submitted file

Source: FCL ABONOF2201.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: FCL ABONOF2201.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 17.2.FCL ABONOF2201.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: FCL ABONOF2201.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FCL ABONOF2201.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: http://LZsznn.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: FCL ABONOF2201.exe, 00000000.00000003.255809108.0000000005725000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.255913519.0000000005708000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: FCL ABONOF2201.exe, 00000000.00000003.260457735.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.260386110.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frer6
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: FCL ABONOF2201.exe, 00000000.00000003.260386110.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/g
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comAm
Source: FCL ABONOF2201.exe, 00000000.00000003.260457735.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comE
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFv
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comL.TTF
Source: FCL ABONOF2201.exe, 00000000.00000003.342180972.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: FCL ABONOF2201.exe, 00000000.00000003.342180972.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.comm
Source: FCL ABONOF2201.exe, 00000000.00000003.260386110.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comeff
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comicTF
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: FCL ABONOF2201.exe, 00000000.00000003.342180972.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commn
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comov
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: FCL ABONOF2201.exe, 00000000.00000003.255104556.0000000005721000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.
Source: FCL ABONOF2201.exe, 00000000.00000003.255405700.0000000005725000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FCL ABONOF2201.exe, 00000000.00000003.255169149.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTC
Source: FCL ABONOF2201.exe, 00000000.00000003.255104556.0000000005721000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-h
Source: FCL ABONOF2201.exe, 00000000.00000003.255104556.0000000005721000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-rv
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FCL ABONOF2201.exe, 00000000.00000003.262136501.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/m
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FCL ABONOF2201.exe, 00000000.00000003.262136501.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmt
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: FCL ABONOF2201.exe, 00000000.00000003.257309413.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: FCL ABONOF2201.exe, 00000000.00000003.258144229.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/BnT
Source: FCL ABONOF2201.exe, 00000000.00000003.258465295.0000000005706000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Dh
Source: FCL ABONOF2201.exe, 00000000.00000003.258232538.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/DhT
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/VnT
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/http
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.258144229.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.258465295.0000000005706000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/d
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: FCL ABONOF2201.exe, 00000000.00000003.257309413.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/norm
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sa
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: FCL ABONOF2201.exe, 00000000.00000003.255739287.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cne
Source: FCL ABONOF2201.exe, 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: FCL ABONOF2201.exe, 00000000.00000002.343670754.0000000000FD8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A1060	0_2_012A1060
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A22D2	0_2_012A22D2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A0472	0_2_012A0472
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A18F1	0_2_012A18F1
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A1D69	0_2_012A1D69
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A1036	0_2_012A1036
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5240	0_2_012A5240
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5250	0_2_012A5250
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5478	0_2_012A5478
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5488	0_2_012A5488
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A56A8	0_2_012A56A8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5698	0_2_012A5698
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5878	0_2_012A5878
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A4BEA	0_2_012A4BEA
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A4BF8	0_2_012A4BF8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3A20	0_2_02BC3A20
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3780	0_2_02BC3780
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC0040	0_2_02BC0040
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC221E	0_2_02BC221E
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3A10	0_2_02BC3A10
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC2248	0_2_02BC2248
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3CA7	0_2_02BC3CA7
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3498	0_2_02BC3498
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3C89	0_2_02BC3C89
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC04D8	0_2_02BC04D8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3C39	0_2_02BC3C39
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC0032	0_2_02BC0032
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3C20	0_2_02BC3C20
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC1C70	0_2_02BC1C70
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC1C62	0_2_02BC1C62
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC09E8	0_2_02BC09E8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC09D8	0_2_02BC09D8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A646A0	17_2_02A646A0
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A63D42	17_2_02A63D42
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A64690	17_2_02A64690
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A64630	17_2_02A64630

PE file contains strange resources

Source: FCL ABONOF2201.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.348253820.0000000005110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000000.248596392.0000000000822000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.353489301.00000000078F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.345901547.0000000002F0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.344853072.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWTUsGrwBaEIhoxFArvAFqpc.exe4 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 0000000F.00000000.339116629.0000000000012000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000010.00000002.340676512.00000000003C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWTUsGrwBaEIhoxFArvAFqpc.exe4 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000011.00000000.341555593.0000000000772000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000011.00000002.519153608.0000000000E2A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe

Uses 32bit PE files

Source: FCL ABONOF2201.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FCL ABONOF2201.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@0/0

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FCL ABONOF2201.exe.log

Jump to behavior

Source: FCL ABONOF2201.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FCL ABONOF2201.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe 'C:\Users\user\Desktop\FCL ABONOF2201.exe'
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FCL ABONOF2201.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FCL ABONOF2201.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: FCL ABONOF2201.exe, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.FCL ABONOF2201.exe.10000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.FCL ABONOF2201.exe.3c0000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_0087A28D push esi; ret	0_2_0087A29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_0087AAC1 push ebp; iretd	0_2_0087AAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3EB9 push cs; ret	0_2_02BC3EBA
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC8475 push FFFFFF8Bh; iretd	0_2_02BC8477
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 15_2_0006A28D push esi; ret	15_2_0006A29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 15_2_0006AAC1 push ebp; iretd	15_2_0006AAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 16_2_0041AAC1 push ebp; iretd	16_2_0041AAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 16_2_0041A28D push esi; ret	16_2_0041A29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_007CAAC1 push ebp; iretd	17_2_007CAAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_007CA28D push esi; ret	17_2_007CA29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A64630 pushad ; retf 8303h	17_2_02A646E8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A6DD39 push FFFFFF8Bh; iretd	17_2_02A6DD3B

Source: initial sample

Static PE information: section name: .text entropy: 7.7080390285

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5492, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Window / User API: threadDelayed 9216			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Window / User API: threadDelayed 643			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 1720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 604	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 1828	Thread sleep count: 9216 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 1828	Thread sleep count: 643 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Memory written: C:\Users\user\Desktop\FCL ABONOF2201.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior

Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Users\user\Desktop\FCL ABONOF2201.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Users\user\Desktop\FCL ABONOF2201.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5992, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5992, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5992, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 17.2.FCL ABONOF2201.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@aereks.si", "Password": "10Jure03", "Host": "mail.aereks.si"}

Multi AV Scanner detection for submitted file

Source: FCL ABONOF2201.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: FCL ABONOF2201.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 17.2.FCL ABONOF2201.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: FCL ABONOF2201.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FCL ABONOF2201.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: http://LZsznn.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: FCL ABONOF2201.exe, 00000000.00000003.255809108.0000000005725000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.255913519.0000000005708000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: FCL ABONOF2201.exe, 00000000.00000003.260457735.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.260386110.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frer6
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: FCL ABONOF2201.exe, 00000000.00000003.260386110.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/g
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comAm
Source: FCL ABONOF2201.exe, 00000000.00000003.260457735.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comE
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFv
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comL.TTF
Source: FCL ABONOF2201.exe, 00000000.00000003.342180972.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: FCL ABONOF2201.exe, 00000000.00000003.342180972.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.comm
Source: FCL ABONOF2201.exe, 00000000.00000003.260386110.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comeff
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comicTF
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: FCL ABONOF2201.exe, 00000000.00000003.342180972.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commn
Source: FCL ABONOF2201.exe, 00000000.00000003.260862361.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comov
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: FCL ABONOF2201.exe, 00000000.00000003.255104556.0000000005721000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.
Source: FCL ABONOF2201.exe, 00000000.00000003.255405700.0000000005725000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: FCL ABONOF2201.exe, 00000000.00000003.255169149.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTC
Source: FCL ABONOF2201.exe, 00000000.00000003.255104556.0000000005721000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-h
Source: FCL ABONOF2201.exe, 00000000.00000003.255104556.0000000005721000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-rv
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: FCL ABONOF2201.exe, 00000000.00000003.262136501.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/m
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: FCL ABONOF2201.exe, 00000000.00000003.262136501.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmt
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: FCL ABONOF2201.exe, 00000000.00000003.257309413.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: FCL ABONOF2201.exe, 00000000.00000003.258144229.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/BnT
Source: FCL ABONOF2201.exe, 00000000.00000003.258465295.0000000005706000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Dh
Source: FCL ABONOF2201.exe, 00000000.00000003.258232538.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/DhT
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/VnT
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/http
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.258144229.0000000005703000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000000.00000003.258465295.0000000005706000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/d
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: FCL ABONOF2201.exe, 00000000.00000003.257309413.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/norm
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sa
Source: FCL ABONOF2201.exe, 00000000.00000003.258007316.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: FCL ABONOF2201.exe, 00000000.00000003.258633280.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: FCL ABONOF2201.exe, 00000000.00000003.261298723.0000000005703000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: FCL ABONOF2201.exe, 00000000.00000002.350597117.0000000005902000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: FCL ABONOF2201.exe, 00000000.00000003.255739287.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cne
Source: FCL ABONOF2201.exe, 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, FCL ABONOF2201.exe, 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: FCL ABONOF2201.exe, 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: FCL ABONOF2201.exe, 00000000.00000002.343670754.0000000000FD8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A1060	0_2_012A1060
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A22D2	0_2_012A22D2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A0472	0_2_012A0472
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A18F1	0_2_012A18F1
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A1D69	0_2_012A1D69
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A1036	0_2_012A1036
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5240	0_2_012A5240
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5250	0_2_012A5250
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5478	0_2_012A5478
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5488	0_2_012A5488
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A56A8	0_2_012A56A8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5698	0_2_012A5698
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A5878	0_2_012A5878
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A4BEA	0_2_012A4BEA
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_012A4BF8	0_2_012A4BF8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3A20	0_2_02BC3A20
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3780	0_2_02BC3780
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC0040	0_2_02BC0040
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC221E	0_2_02BC221E
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3A10	0_2_02BC3A10
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC2248	0_2_02BC2248
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3CA7	0_2_02BC3CA7
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3498	0_2_02BC3498
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3C89	0_2_02BC3C89
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC04D8	0_2_02BC04D8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3C39	0_2_02BC3C39
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC0032	0_2_02BC0032
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3C20	0_2_02BC3C20
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC1C70	0_2_02BC1C70
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC1C62	0_2_02BC1C62
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC09E8	0_2_02BC09E8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC09D8	0_2_02BC09D8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A646A0	17_2_02A646A0
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A63D42	17_2_02A63D42
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A64690	17_2_02A64690
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A64630	17_2_02A64630

PE file contains strange resources

Source: FCL ABONOF2201.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.348253820.0000000005110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000000.248596392.0000000000822000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.353489301.00000000078F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.345901547.0000000002F0D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000000.00000002.344853072.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWTUsGrwBaEIhoxFArvAFqpc.exe4 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 0000000F.00000000.339116629.0000000000012000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000010.00000002.340676512.00000000003C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilename vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWTUsGrwBaEIhoxFArvAFqpc.exe4 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000011.00000000.341555593.0000000000772000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe, 00000011.00000002.519153608.0000000000E2A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FCL ABONOF2201.exe
Source: FCL ABONOF2201.exe	Binary or memory string: OriginalFilenameMRhmT.exe2 vs FCL ABONOF2201.exe

Uses 32bit PE files

Source: FCL ABONOF2201.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: FCL ABONOF2201.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@0/0

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FCL ABONOF2201.exe.log

Jump to behavior

Source: FCL ABONOF2201.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FCL ABONOF2201.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe 'C:\Users\user\Desktop\FCL ABONOF2201.exe'
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FCL ABONOF2201.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FCL ABONOF2201.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: FCL ABONOF2201.exe, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.FCL ABONOF2201.exe.10000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.FCL ABONOF2201.exe.3c0000.0.unpack, uNotepad/Form1.cs	.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_0087A28D push esi; ret	0_2_0087A29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_0087AAC1 push ebp; iretd	0_2_0087AAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC3EB9 push cs; ret	0_2_02BC3EBA
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 0_2_02BC8475 push FFFFFF8Bh; iretd	0_2_02BC8477
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 15_2_0006A28D push esi; ret	15_2_0006A29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 15_2_0006AAC1 push ebp; iretd	15_2_0006AAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 16_2_0041AAC1 push ebp; iretd	16_2_0041AAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 16_2_0041A28D push esi; ret	16_2_0041A29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_007CAAC1 push ebp; iretd	17_2_007CAAC2
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_007CA28D push esi; ret	17_2_007CA29A
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A64630 pushad ; retf 8303h	17_2_02A646E8
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Code function: 17_2_02A6DD39 push FFFFFF8Bh; iretd	17_2_02A6DD3B

Source: initial sample

Static PE information: section name: .text entropy: 7.7080390285

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5492, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Window / User API: threadDelayed 9216			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Window / User API: threadDelayed 643			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 1720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 604	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 1828	Thread sleep count: 9216 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe TID: 1828	Thread sleep count: 643 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: FCL ABONOF2201.exe, 00000000.00000002.344995346.0000000002C98000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Memory written: C:\Users\user\Desktop\FCL ABONOF2201.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Process created: C:\Users\user\Desktop\FCL ABONOF2201.exe {path}	Jump to behavior

Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FCL ABONOF2201.exe, 00000011.00000002.519541077.00000000015D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Users\user\Desktop\FCL ABONOF2201.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Users\user\Desktop\FCL ABONOF2201.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FCL ABONOF2201.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FCL ABONOF2201.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5992, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5992, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FCL ABONOF2201.exe.3d4eb98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.FCL ABONOF2201.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.520080449.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.517483655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346788150.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5492, type: MEMORY
Source: Yara match	File source: Process Memory Space: FCL ABONOF2201.exe PID: 5992, type: MEMORY

ID:	452735
Product:	CloudBasic
Start time:	19:11:29
Start date:	22.07.2021
Sample:	FCL ABONOF2201.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8df4b43e11c352b502cea6a13e220468
SHA1:	e8e6745a74fec6d5ea7c0ae5fce8e775689cacef
SHA256:	86324507b99eaddd23e1c94340269fc33d8a9cf64c6df71822d4b0cf59078535
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report FCL ABONOF2201.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map