Windows Analysis Report V5cfxBHd71.exe

Overview

General Information

Sample Name: V5cfxBHd71.exe
Analysis ID: 458773
MD5: 182170393a1acd19744575f00562384f
SHA1: e2b2d6405b359d78ba965b54e9cc6b38e223fd97
SHA256: 71ec0c91aeec5071da283d23bceb39800e9ad6c133bb6aef99d1302f47a4ada3
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.boogerstv.com/p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB Avira URL Cloud: Label: malware
Source: http://www.vectoroutlines.com/p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
Multi AV Scanner detection for domain / URL
Source: vectoroutlines.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: V5cfxBHd71.exe Virustotal: Detection: 29% Perma Link
Source: V5cfxBHd71.exe ReversingLabs: Detection: 30%
Yara detected FormBook
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: V5cfxBHd71.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: V5cfxBHd71.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: V5cfxBHd71.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp, msdt.exe
Source: Binary string: msdt.pdb source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4x nop then pop edi 4_2_00416282
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4x nop then pop ebx 4_2_00406A94
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 17_2_00A56282
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop ebx 17_2_00A46A95

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 198.54.126.105:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 198.54.126.105:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 198.54.126.105:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 223.29.234.230:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 223.29.234.230:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 223.29.234.230:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.adultpeace.com/p2io/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.m678.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.vectoroutlines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?BJ=hDwxgnCxHqZG/nBf9NFToL98ekU0apx9FaMqifAGLuP7v/j66cUXhxpzlnLclYHrbOLF&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.3cheer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.218 198.54.117.218
Source: global traffic HTTP traffic detected: GET /p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.vectoroutlines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?BJ=hDwxgnCxHqZG/nBf9NFToL98ekU0apx9FaMqifAGLuP7v/j66cUXhxpzlnLclYHrbOLF&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.3cheer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.tpcgzwlpyggm.mobi
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: V5cfxBHd71.exe, 00000000.00000002.257959634.00000000031D1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: V5cfxBHd71.exe, 00000000.00000003.236794650.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: V5cfxBHd71.exe, 00000000.00000003.242605012.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.co
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com.TTF5
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/
Source: explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: V5cfxBHd71.exe, 00000000.00000003.243369085.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers#
Source: V5cfxBHd71.exe, 00000000.00000003.242288324.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers$
Source: V5cfxBHd71.exe, 00000000.00000003.241133154.00000000062AC000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000003.240999247.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
Source: V5cfxBHd71.exe, 00000000.00000003.242570041.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: V5cfxBHd71.exe, 00000000.00000003.242354981.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: V5cfxBHd71.exe, 00000000.00000003.249525924.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersE
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: V5cfxBHd71.exe, 00000000.00000003.243484955.00000000062A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersb
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF5
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF:
Source: V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFQ
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comR.TTF
Source: V5cfxBHd71.exe, 00000000.00000003.243501826.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsFC
Source: V5cfxBHd71.exe, 00000000.00000003.243584347.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcom:
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomd
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdy
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comgrito
Source: V5cfxBHd71.exe, 00000000.00000003.256705491.0000000006270000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: V5cfxBHd71.exe, 00000000.00000003.242665214.000000000627F000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comrsiv
Source: V5cfxBHd71.exe, 00000000.00000003.243233476.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comueTFC
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: V5cfxBHd71.exe, 00000000.00000003.235839455.00000000062AA000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: V5cfxBHd71.exe, 00000000.00000003.236344657.00000000062AF000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: V5cfxBHd71.exe, 00000000.00000003.245350985.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000003.246243890.000000000627E000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: V5cfxBHd71.exe, 00000000.00000003.245511901.00000000062A9000.00000004.00000001.sdmp, V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: V5cfxBHd71.exe, 00000000.00000003.245760419.000000000628A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: V5cfxBHd71.exe, 00000000.00000003.238966135.0000000006273000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ch
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/f
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/help5
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
Source: V5cfxBHd71.exe, 00000000.00000003.238699786.000000000627D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/nly
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/tion
Source: V5cfxBHd71.exe, 00000000.00000003.239126621.000000000627C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: V5cfxBHd71.exe, 00000000.00000003.236412505.000000000627E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comFI
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: V5cfxBHd71.exe, 00000000.00000003.243718619.000000000627E000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.debI
Source: V5cfxBHd71.exe, 00000000.00000002.271663578.00000000063E0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.290098418.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_004181B0 NtCreateFile, 4_2_004181B0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00418260 NtReadFile, 4_2_00418260
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_004182E0 NtClose, 4_2_004182E0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00418390 NtAllocateVirtualMemory, 4_2_00418390
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_004182AC NtReadFile, 4_2_004182AC
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041838B NtAllocateVirtualMemory, 4_2_0041838B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D496D0 NtCreateKey,LdrInitializeThunk, 17_2_04D496D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D496E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_04D496E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49650 NtQueryValueKey,LdrInitializeThunk, 17_2_04D49650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49A50 NtCreateFile,LdrInitializeThunk, 17_2_04D49A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49840 NtDelayExecution,LdrInitializeThunk, 17_2_04D49840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_04D49660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_04D49860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D495D0 NtClose,LdrInitializeThunk, 17_2_04D495D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49FE0 NtCreateMutant,LdrInitializeThunk, 17_2_04D49FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49780 NtMapViewOfSection,LdrInitializeThunk, 17_2_04D49780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D499A0 NtCreateSection,LdrInitializeThunk, 17_2_04D499A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49540 NtReadFile,LdrInitializeThunk, 17_2_04D49540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49710 NtQueryInformationToken,LdrInitializeThunk, 17_2_04D49710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_04D49910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D498F0 NtReadVirtualMemory, 17_2_04D498F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49A80 NtOpenDirectoryObject, 17_2_04D49A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D498A0 NtWriteVirtualMemory, 17_2_04D498A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D4B040 NtSuspendThread, 17_2_04D4B040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49670 NtQueryInformationProcess, 17_2_04D49670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49A10 NtQuerySection, 17_2_04D49A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49610 NtEnumerateValueKey, 17_2_04D49610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49A00 NtProtectVirtualMemory, 17_2_04D49A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49820 NtEnumerateKey, 17_2_04D49820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49A20 NtResumeThread, 17_2_04D49A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D499D0 NtCreateProcessEx, 17_2_04D499D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D495F0 NtQueryInformationFile, 17_2_04D495F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D4A3B0 NtGetContextThread, 17_2_04D4A3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D497A0 NtUnmapViewOfSection, 17_2_04D497A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49950 NtQueueApcThread, 17_2_04D49950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D4A770 NtOpenThread, 17_2_04D4A770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49770 NtSetInformationFile, 17_2_04D49770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49560 NtWriteFile, 17_2_04D49560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49760 NtOpenProcess, 17_2_04D49760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D4A710 NtOpenProcessToken, 17_2_04D4A710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49B00 NtSetValueKey, 17_2_04D49B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D4AD30 NtSetContextThread, 17_2_04D4AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49730 NtQueryVirtualMemory, 17_2_04D49730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D49520 NtWaitForSingleObject, 17_2_04D49520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A581B0 NtCreateFile, 17_2_00A581B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A582E0 NtClose, 17_2_00A582E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A58260 NtReadFile, 17_2_00A58260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A58390 NtAllocateVirtualMemory, 17_2_00A58390
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A582AC NtReadFile, 17_2_00A582AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5838B NtAllocateVirtualMemory, 17_2_00A5838B
Detected potential crypto function
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 0_2_00EA4C65 0_2_00EA4C65
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 0_2_030AC2B0 0_2_030AC2B0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 0_2_030A9990 0_2_030A9990
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B8B1 4_2_0041B8B1
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B963 4_2_0041B963
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00408C4B 4_2_00408C4B
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00408C50 4_2_00408C50
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B493 4_2_0041B493
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B496 4_2_0041B496
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041C539 4_2_0041C539
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00402D89 4_2_00402D89
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041CE85 4_2_0041CE85
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041BF12 4_2_0041BF12
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041C795 4_2_0041C795
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_004D4C65 4_2_004D4C65
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D1B090 17_2_04D1B090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1002 17_2_04DC1002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D26E30 17_2_04D26E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3EBB0 17_2_04D3EBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD1D55 17_2_04DD1D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0F900 17_2_04D0F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D00D20 17_2_04D00D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D24120 17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B8B1 17_2_00A5B8B1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B954 17_2_00A5B954
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B496 17_2_00A5B496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B493 17_2_00A5B493
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A48C4B 17_2_00A48C4B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A48C50 17_2_00A48C50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A42D89 17_2_00A42D89
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A42D90 17_2_00A42D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5C539 17_2_00A5C539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5CE85 17_2_00A5CE85
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A42FB0 17_2_00A42FB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5C795 17_2_00A5C795
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5BF12 17_2_00A5BF12
Sample file is different than original file name gathered from version info
Source: V5cfxBHd71.exe Binary or memory string: OriginalFilename vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000000.00000002.257959634.00000000031D1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000000.00000002.257092467.0000000000EA2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIdentityNotMappedExcepti.exe6 vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe Binary or memory string: OriginalFilename vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000004.00000002.352461046.00000000004D2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIdentityNotMappedExcepti.exe6 vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs V5cfxBHd71.exe
Source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs V5cfxBHd71.exe
Uses 32bit PE files
Source: V5cfxBHd71.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: V5cfxBHd71.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@9/3
Source: C:\Users\user\Desktop\V5cfxBHd71.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V5cfxBHd71.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
Source: V5cfxBHd71.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: V5cfxBHd71.exe Virustotal: Detection: 29%
Source: V5cfxBHd71.exe ReversingLabs: Detection: 30%
Source: unknown Process created: C:\Users\user\Desktop\V5cfxBHd71.exe 'C:\Users\user\Desktop\V5cfxBHd71.exe'
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process created: C:\Users\user\Desktop\V5cfxBHd71.exe C:\Users\user\Desktop\V5cfxBHd71.exe
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process created: C:\Users\user\Desktop\V5cfxBHd71.exe C:\Users\user\Desktop\V5cfxBHd71.exe Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe' Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: V5cfxBHd71.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: V5cfxBHd71.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: V5cfxBHd71.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp
Source: Binary string: msdt.pdbGCTL source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: V5cfxBHd71.exe, 00000004.00000002.353531484.000000000109F000.00000040.00000001.sdmp, msdt.exe
Source: Binary string: msdt.pdb source: V5cfxBHd71.exe, 00000004.00000002.354477795.0000000002EE0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.293172647.000000000EC00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: V5cfxBHd71.exe Static PE information: 0xF0944DD6 [Mon Nov 25 20:51:34 2097 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B2A2 push cs; ret 4_2_0041B2A3
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B3F2 push eax; ret 4_2_0041B3F8
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B3FB push eax; ret 4_2_0041B462
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B3A5 push eax; ret 4_2_0041B3F8
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041B45C push eax; ret 4_2_0041B462
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00415414 push esp; ret 4_2_00415416
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00414F46 push cs; ret 4_2_00414F47
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_0041BF12 push dword ptr [8427D5C5h]; ret 4_2_0041C1FF
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00415FC5 push ebp; ret 4_2_00415FC6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D5D0D1 push ecx; ret 17_2_04D5D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B2A2 push cs; ret 17_2_00A5B2A3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B3A5 push eax; ret 17_2_00A5B3F8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B3F2 push eax; ret 17_2_00A5B3F8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B3FB push eax; ret 17_2_00A5B462
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A55414 push esp; ret 17_2_00A55416
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5B45C push eax; ret 17_2_00A5B462
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A55FC5 push ebp; ret 17_2_00A55FC6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A5BF12 push dword ptr [8427D5C5h]; ret 17_2_00A5C1FF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_00A54F46 push cs; ret 17_2_00A54F47
Source: initial sample Static PE information: section name: .text entropy: 7.40347651298
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: V5cfxBHd71.exe PID: 5700, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\V5cfxBHd71.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\V5cfxBHd71.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000A485E4 second address: 0000000000A485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000000A4896E second address: 0000000000A48974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_004088A0 rdtsc 4_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\V5cfxBHd71.exe TID: 5332 Thread sleep time: -40589s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe TID: 456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4656 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Thread delayed: delay time: 40589 Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.262044183.0000000001218000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oso
Source: explorer.exe, 00000007.00000000.287538157.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.288154074.0000000008AEA000.00000004.00000001.sdmp Binary or memory string: 000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.299978038.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.287622387.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000007.00000000.317506996.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000007.00000000.287622387.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: V5cfxBHd71.exe, 00000000.00000002.258210431.000000000335B000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_004088A0 rdtsc 4_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Code function: 4_2_00409B10 LdrLoadDll, 4_2_00409B10
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD8CD6 mov eax, dword ptr fs:[00000030h] 17_2_04DD8CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD8ED6 mov eax, dword ptr fs:[00000030h] 17_2_04DD8ED6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DBFEC0 mov eax, dword ptr fs:[00000030h] 17_2_04DBFEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D336CC mov eax, dword ptr fs:[00000030h] 17_2_04D336CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC14FB mov eax, dword ptr fs:[00000030h] 17_2_04DC14FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D316E0 mov ecx, dword ptr fs:[00000030h] 17_2_04D316E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3D294 mov eax, dword ptr fs:[00000030h] 17_2_04D3D294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3D294 mov eax, dword ptr fs:[00000030h] 17_2_04D3D294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09080 mov eax, dword ptr fs:[00000030h] 17_2_04D09080
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D9FE87 mov eax, dword ptr fs:[00000030h] 17_2_04D9FE87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3F0BF mov ecx, dword ptr fs:[00000030h] 17_2_04D3F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3F0BF mov eax, dword ptr fs:[00000030h] 17_2_04D3F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3F0BF mov eax, dword ptr fs:[00000030h] 17_2_04D3F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h] 17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h] 17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h] 17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h] 17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D052A5 mov eax, dword ptr fs:[00000030h] 17_2_04D052A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD0EA5 mov eax, dword ptr fs:[00000030h] 17_2_04DD0EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD0EA5 mov eax, dword ptr fs:[00000030h] 17_2_04DD0EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD0EA5 mov eax, dword ptr fs:[00000030h] 17_2_04DD0EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D846A7 mov eax, dword ptr fs:[00000030h] 17_2_04D846A7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h] 17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h] 17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h] 17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09240 mov eax, dword ptr fs:[00000030h] 17_2_04D09240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD1074 mov eax, dword ptr fs:[00000030h] 17_2_04DD1074
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC2073 mov eax, dword ptr fs:[00000030h] 17_2_04DC2073
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DBB260 mov eax, dword ptr fs:[00000030h] 17_2_04DBB260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DBB260 mov eax, dword ptr fs:[00000030h] 17_2_04DBB260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D2746D mov eax, dword ptr fs:[00000030h] 17_2_04D2746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D87016 mov eax, dword ptr fs:[00000030h] 17_2_04D87016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D87016 mov eax, dword ptr fs:[00000030h] 17_2_04D87016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D87016 mov eax, dword ptr fs:[00000030h] 17_2_04D87016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC1C06 mov eax, dword ptr fs:[00000030h] 17_2_04DC1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DBFE3F mov eax, dword ptr fs:[00000030h] 17_2_04DBFE3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h] 17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h] 17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h] 17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D1B02A mov eax, dword ptr fs:[00000030h] 17_2_04D1B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3BC2C mov eax, dword ptr fs:[00000030h] 17_2_04D3BC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DB8DF1 mov eax, dword ptr fs:[00000030h] 17_2_04DB8DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0B1E1 mov eax, dword ptr fs:[00000030h] 17_2_04D0B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0B1E1 mov eax, dword ptr fs:[00000030h] 17_2_04D0B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0B1E1 mov eax, dword ptr fs:[00000030h] 17_2_04D0B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D2C182 mov eax, dword ptr fs:[00000030h] 17_2_04D2C182
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3A185 mov eax, dword ptr fs:[00000030h] 17_2_04D3A185
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC138A mov eax, dword ptr fs:[00000030h] 17_2_04DC138A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h] 17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h] 17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h] 17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h] 17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D02D8A mov eax, dword ptr fs:[00000030h] 17_2_04D02D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D335A1 mov eax, dword ptr fs:[00000030h] 17_2_04D335A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD5BA5 mov eax, dword ptr fs:[00000030h] 17_2_04DD5BA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D27D50 mov eax, dword ptr fs:[00000030h] 17_2_04D27D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD8B58 mov eax, dword ptr fs:[00000030h] 17_2_04DD8B58
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D1EF40 mov eax, dword ptr fs:[00000030h] 17_2_04D1EF40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D2B944 mov eax, dword ptr fs:[00000030h] 17_2_04D2B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D2B944 mov eax, dword ptr fs:[00000030h] 17_2_04D2B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D43D43 mov eax, dword ptr fs:[00000030h] 17_2_04D43D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0B171 mov eax, dword ptr fs:[00000030h] 17_2_04D0B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0B171 mov eax, dword ptr fs:[00000030h] 17_2_04D0B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D2C577 mov eax, dword ptr fs:[00000030h] 17_2_04D2C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D2C577 mov eax, dword ptr fs:[00000030h] 17_2_04D2C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD8F6A mov eax, dword ptr fs:[00000030h] 17_2_04DD8F6A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DC131B mov eax, dword ptr fs:[00000030h] 17_2_04DC131B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D9FF10 mov eax, dword ptr fs:[00000030h] 17_2_04D9FF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D9FF10 mov eax, dword ptr fs:[00000030h] 17_2_04D9FF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09100 mov eax, dword ptr fs:[00000030h] 17_2_04D09100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09100 mov eax, dword ptr fs:[00000030h] 17_2_04D09100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D09100 mov eax, dword ptr fs:[00000030h] 17_2_04D09100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD070D mov eax, dword ptr fs:[00000030h] 17_2_04DD070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD070D mov eax, dword ptr fs:[00000030h] 17_2_04DD070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D0AD30 mov eax, dword ptr fs:[00000030h] 17_2_04D0AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D3E730 mov eax, dword ptr fs:[00000030h] 17_2_04D3E730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04DD8D34 mov eax, dword ptr fs:[00000030h] 17_2_04DD8D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h] 17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h] 17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h] 17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D24120 mov eax, dword ptr fs:[00000030h] 17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D24120 mov ecx, dword ptr fs:[00000030h] 17_2_04D24120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D04F2E mov eax, dword ptr fs:[00000030h] 17_2_04D04F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 17_2_04D04F2E mov eax, dword ptr fs:[00000030h] 17_2_04D04F2E
Enables debug privileges
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tpcgzwlpyggm.mobi
Source: C:\Windows\explorer.exe Domain query: www.boogerstv.com
Source: C:\Windows\explorer.exe Domain query: www.m678.xyz
Source: C:\Windows\explorer.exe Domain query: www.kce0728com.net
Source: C:\Windows\explorer.exe Domain query: www.vectoroutlines.com
Source: C:\Windows\explorer.exe Domain query: www.3cheer.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.126.105 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3472 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 1290000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process created: C:\Users\user\Desktop\V5cfxBHd71.exe C:\Users\user\Desktop\V5cfxBHd71.exe Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\V5cfxBHd71.exe' Jump to behavior
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000007.00000000.299874410.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000007.00000000.262162643.0000000001640000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Users\user\Desktop\V5cfxBHd71.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\V5cfxBHd71.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.V5cfxBHd71.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.352974421.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353232950.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.497388587.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.500475231.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.352380368.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499943855.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.258699660.00000000041D9000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458773 Sample: V5cfxBHd71.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 29 www.mercuryaid.net 2->29 31 mercuryaid.net 2->31 33 2 other IPs or domains 2->33 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 8 other signatures 2->57 10 V5cfxBHd71.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\V5cfxBHd71.exe.log, ASCII 10->27 dropped 59 Tries to detect virtualization through RDTSC time measurements 10->59 14 V5cfxBHd71.exe 10->14         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 17 msdt.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Tries to detect virtualization through RDTSC time measurements 17->45 23 cmd.exe 1 17->23         started        35 vectoroutlines.com 198.54.126.105, 49726, 80 NAMECHEAP-NETUS United States 20->35 37 www.vectoroutlines.com 20->37 39 7 other IPs or domains 20->39 47 System process connects to network (likely due to code injection or exploit) 20->47 49 Performs DNS queries to domains with low reputation 20->49 signatures11 process12 process13 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.218
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
34.102.136.180
 3cheer.com United States
15169 GOOGLEUS false
198.54.126.105
 vectoroutlines.com United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
www.hazard-protection.com 148.59.128.71 true
3cheer.com 34.102.136.180 true
parkingpage.namecheap.com 198.54.117.218 true
www.leonardocarrillo.com 172.107.55.6 true
vectoroutlines.com 198.54.126.105 true
mercuryaid.net 223.29.234.230 true
www.tpcgzwlpyggm.mobi unknown unknown
www.boogerstv.com unknown unknown
www.m678.xyz unknown unknown
www.kce0728com.net unknown unknown
www.mercuryaid.net unknown unknown
www.vectoroutlines.com unknown unknown
www.3cheer.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.adultpeace.com/p2io/ true
  • URL Reputation: safe
 low
http://www.boogerstv.com/p2io/?BJ=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7jRLyNqpfuRL&b2Ml9=0txtgJLXY6ULB true
  • Avira URL Cloud: malware
 unknown
http://www.vectoroutlines.com/p2io/?BJ=RfOK6jKhDkXNwKgMe5LTyAppaXreGCTFIz0prsbY2047Xu3Gxs4GQwDY2/SnNVlkbHQV&b2Ml9=0txtgJLXY6ULB true
  • Avira URL Cloud: malware
 unknown