Windows Analysis Report Fp4grWelSC.exe

Overview

General Information

Sample Name: Fp4grWelSC.exe
Analysis ID: 552852
MD5: 0e99d13aafcc5e8fadc45d8b85336d9b
SHA1: 6573c9dd229e50981aa24128ad02a07e99805369
SHA256: a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.safetyeats.asia/pnug/"], "decoy": ["natureate.com", "ita-pots.website", "sucohansmushroom.com", "produrielrosen.com", "gosystemupdatenow.online", "jiskra.art", "janwiench.com", "norfolkfoodhall.com", "iloveaddictss.com", "pogozip.com", "buyinstapva.com", "teardirectionfreedom.xyz", "0205168.com", "apaixonadosporpugs.online", "jawscoinc.com", "crafter.quest", "wikipedianow.com", "radiopuls.net", "kendama-co.com", "goodstudycanada.com", "huzhoucs.com", "asinment.com", "fuchsundrudolph.com", "arthurenathalia.com", "globalcosmeticsstudios.com", "brandrackley.com", "freemanhub.one", "utserver.online", "fullspecter.com", "wshowcase.com", "airjordanshoes-retro.com", "linguimatics.com", "app-verlengen.icu", "singpost.red", "j4.claims", "inoteapp.net", "jrdautomotivellc.com", "xn--beaupre-6xa.com", "mypolicyportal.net", "wdgjdhpg.com", "anshulindla.com", "m981070.com", "vertentebike.com", "claim-available.com", "buyfudgybombs.com", "adfnapoli.com", "blackfuid.com", "clambakedelivered.info", "marketingworksonhold.com", "xvyj.top", "richardsonsfinest.com", "gurimix.com", "dorhop.com", "mauigrowngreencoffee.net", "juzytuu.xyz", "pokorny.industries", "floridapermitsolutions.com", "right-on-target-store.com", "ynaire.com", "nextpar.com", "disdrone.com", "fruitfulvinebirth.com", "africanfairytale.com", "leisuresabah.com"]}
Multi AV Scanner detection for submitted file
Source: Fp4grWelSC.exe Virustotal: Detection: 30% Perma Link
Source: Fp4grWelSC.exe ReversingLabs: Detection: 39%
Yara detected FormBook
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.safetyeats.asia/pnug/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Fp4grWelSC.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.Fp4grWelSC.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Fp4grWelSC.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.Fp4grWelSC.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Fp4grWelSC.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Fp4grWelSC.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Fp4grWelSC.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
Source: Binary string: cmd.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
Source: Binary string: cmd.pdb source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F31DC FindFirstFileW,FindNextFileW,FindClose, 11_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 11_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 11_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 11_2_011E68BA

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.safetyeats.asia/pnug/
Source: explorer.exe, 00000016.00000003.897084058.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.871772887.000000000466C000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.872046456.000000000466C000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.873076198.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.894500813.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.906108816.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.872317477.000000000468E000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp String found in binary or memory: http://crl.v
Source: Fp4grWelSC.exe, 00000000.00000003.665336360.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665368035.0000000005615000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665301008.0000000005615000.00000004.00000001.sdmp String found in binary or memory: http://en.wV
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Fp4grWelSC.exe, 00000000.00000003.667689980.0000000005617000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Fp4grWelSC.exe, 00000000.00000003.671658171.000000000564D000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.671734893.000000000564D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Fp4grWelSC.exe, 00000000.00000003.673630049.000000000564D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comas
Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comldW
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667467039.0000000005614000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Fp4grWelSC.exe, 00000000.00000003.676276050.0000000005646000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.676246333.0000000005646000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Fp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Fp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnew

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: Fp4grWelSC.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 0_2_00372050 0_2_00372050
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 0_2_00D6C884 0_2_00D6C884
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 0_2_00D6EC50 0_2_00D6EC50
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 0_2_00D6EC40 0_2_00D6EC40
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041D010 4_2_0041D010
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041B8C3 4_2_0041B8C3
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041CBAD 4_2_0041CBAD
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00408C7B 4_2_00408C7B
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00408C80 4_2_00408C80
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00AB2050 4_2_00AB2050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F5D0A 11_2_011F5D0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F3506 11_2_011F3506
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E6550 11_2_011E6550
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E1969 11_2_011E1969
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D7190 11_2_011D7190
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F31DC 11_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DD803 11_2_011DD803
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DE040 11_2_011DE040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D9CF0 11_2_011D9CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D48E6 11_2_011D48E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DCB48 11_2_011DCB48
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E5FC8 11_2_011E5FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F6FF0 11_2_011F6FF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DFA30 11_2_011DFA30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D5226 11_2_011D5226
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D5E70 11_2_011D5E70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D8AD7 11_2_011D8AD7
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle, 11_2_011E374E
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_004185E0 NtCreateFile, 4_2_004185E0
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00418690 NtReadFile, 4_2_00418690
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00418710 NtClose, 4_2_00418710
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_004187C0 NtAllocateVirtualMemory, 4_2_004187C0
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041868A NtReadFile, 4_2_0041868A
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041870A NtClose, 4_2_0041870A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 11_2_011F6D90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 11_2_011FB5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose, 11_2_011DB42E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 11_2_011D84BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 11_2_011D58A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DB4C0 NtQueryInformationToken, 11_2_011DB4C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken, 11_2_011DB4F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 11_2_011D83F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F9AB4 NtSetInformationFile, 11_2_011F9AB4
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 11_2_011E6550
Sample file is different than original file name gathered from version info
Source: Fp4grWelSC.exe, 00000000.00000002.688004733.00000000003DF000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAppDomainManag.exe8 vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000000.00000002.693045785.0000000006D10000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000004.00000000.685619670.0000000000B1F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAppDomainManag.exe8 vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000004.00000002.766242265.000000000361D000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000004.00000003.762703815.0000000001147000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Fp4grWelSC.exe
Source: Fp4grWelSC.exe, 00000004.00000002.764785736.000000000179F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Fp4grWelSC.exe
PE file contains strange resources
Source: Fp4grWelSC.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Fp4grWelSC.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Fp4grWelSC.exe Virustotal: Detection: 30%
Source: Fp4grWelSC.exe ReversingLabs: Detection: 39%
Source: Fp4grWelSC.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fp4grWelSC.exe "C:\Users\user\Desktop\Fp4grWelSC.exe"
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fp4grWelSC.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@0/0
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z, 11_2_011FA0D2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit, 11_2_011DC5CA
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Fp4grWelSC.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Fp4grWelSC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Fp4grWelSC.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
Source: Binary string: cmd.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
Source: Binary string: cmd.pdb source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Fp4grWelSC.exe, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Fp4grWelSC.exe.370000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Fp4grWelSC.exe.370000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.7.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.9.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.5.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Fp4grWelSC.exe.ab0000.1.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.2.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.3.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Fp4grWelSC.exe.ab0000.0.unpack, Display.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 0_2_0037F6EB push esp; iretd 0_2_0037F6EE
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041B822 push eax; ret 4_2_0041B828
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041B82B push eax; ret 4_2_0041B892
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041B88C push eax; ret 4_2_0041B892
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00418AC3 push esp; iretd 4_2_00418ACC
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041747D push edi; ret 4_2_0041747E
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041CD7E push es; ret 4_2_0041CD87
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0040CD0A push es; iretd 4_2_0040CD0B
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041A5E6 push ebp; ret 4_2_0041A5E7
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_0041B7D5 push eax; ret 4_2_0041B828
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00ABF6EB push esp; iretd 4_2_00ABF6EE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E76BD push ecx; ret 11_2_011E76D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E76D1 push ecx; ret 11_2_011E76E4
Source: initial sample Static PE information: section name: .text entropy: 7.74639201184

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\cmd.exe Process created: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.Fp4grWelSC.exe.28777e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.286f7d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.28b65dc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fp4grWelSC.exe PID: 7132, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Fp4grWelSC.exe, 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Fp4grWelSC.exe, 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Fp4grWelSC.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Fp4grWelSC.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000000608604 second address: 000000000060860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 000000000060899E second address: 00000000006089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Fp4grWelSC.exe TID: 7136 Thread sleep time: -34160s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe TID: 7160 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_004088D0 rdtsc 4_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F31DC FindFirstFileW,FindNextFileW,FindClose, 11_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 11_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 11_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 11_2_011E68BA
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Thread delayed: delay time: 34160 Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000016.00000003.896790069.0000000010860000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
Source: explorer.exe, 00000016.00000003.891009930.0000000005E6A000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000016.00000003.878772068.000000000FE98000.00000004.00000001.sdmp Binary or memory string: 11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000003.871828614.00000000046A6000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000003.891246769.000000000FE98000.00000004.00000001.sdmp Binary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000003.849361987.0000000005DD1000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%/
Source: explorer.exe, 00000005.00000000.732278813.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000016.00000003.896790069.0000000010860000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\?
Source: explorer.exe, 00000005.00000000.725815512.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000016.00000003.902747265.00000000101EE000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: explorer.exe, 00000005.00000000.716995391.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000016.00000003.896978189.000000000464B000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0zN
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: @@@@````
Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.725967558.0000000004791000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAX
Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmp Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.713334907.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
Source: explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00\
Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O
Source: explorer.exe, 00000005.00000000.733411384.000000000A897000.00000004.00000001.sdmp Binary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 00000016.00000003.871888644.00000000046E4000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}*
Source: explorer.exe, 00000016.00000003.849361987.0000000005DD1000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p mode should ".

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F2258 IsDebuggerPresent, 11_2_011F2258
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011F1914 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap, 11_2_011F1914
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_004088D0 rdtsc 4_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011FB5E0 mov eax, dword ptr fs:[00000030h] 11_2_011FB5E0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Code function: 4_2_00409B40 LdrLoadDll, 4_2_00409B40
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E7310 SetUnhandledExceptionFilter, 11_2_011E7310
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_011E6FE3

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Memory written: C:\Users\user\Desktop\Fp4grWelSC.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3424 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Process created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe" Jump to behavior
Source: cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp Binary or memory string: ,Program Manager
Source: explorer.exe, 00000005.00000000.689548648.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.709918766.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.724562670.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.699520641.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp, cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.874340943.0000000004E40000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp, cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.874340943.0000000004E40000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.841376064.0000000004A69000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.842632526.0000000004A69000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000016.00000000.853795792.0000000000B28000.00000004.00000020.sdmp Binary or memory string: ProgmansT
Source: explorer.exe, 00000016.00000003.841476449.0000000004A2F000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.873737852.0000000004A35000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd(%
Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.702175441.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.732418919.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Users\user\Desktop\Fp4grWelSC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 11_2_011E3F80
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 11_2_011D96A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 11_2_011D5AEF
Source: C:\Users\user\Desktop\Fp4grWelSC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011E7513 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 11_2_011E7513
Source: C:\Windows\SysWOW64\cmd.exe Code function: 11_2_011D443C GetVersion, 11_2_011D443C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 00000016.00000000.876265655.0000000005E6A000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.891009930.0000000005E6A000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
No contacted IP infos