Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fp4grWelSC.exe

Overview

General Information

Sample Name:Fp4grWelSC.exe
Analysis ID:552852
MD5:0e99d13aafcc5e8fadc45d8b85336d9b
SHA1:6573c9dd229e50981aa24128ad02a07e99805369
SHA256:a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Fp4grWelSC.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Fp4grWelSC.exe" MD5: 0E99D13AAFCC5E8FADC45D8B85336D9B)
    • Fp4grWelSC.exe (PID: 6436 cmdline: C:\Users\user\Desktop\Fp4grWelSC.exe MD5: 0E99D13AAFCC5E8FADC45D8B85336D9B)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 6860 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • cmd.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 7080 cmdline: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5396 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • explorer.exe (PID: 3460 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.safetyeats.asia/pnug/"], "decoy": ["natureate.com", "ita-pots.website", "sucohansmushroom.com", "produrielrosen.com", "gosystemupdatenow.online", "jiskra.art", "janwiench.com", "norfolkfoodhall.com", "iloveaddictss.com", "pogozip.com", "buyinstapva.com", "teardirectionfreedom.xyz", "0205168.com", "apaixonadosporpugs.online", "jawscoinc.com", "crafter.quest", "wikipedianow.com", "radiopuls.net", "kendama-co.com", "goodstudycanada.com", "huzhoucs.com", "asinment.com", "fuchsundrudolph.com", "arthurenathalia.com", "globalcosmeticsstudios.com", "brandrackley.com", "freemanhub.one", "utserver.online", "fullspecter.com", "wshowcase.com", "airjordanshoes-retro.com", "linguimatics.com", "app-verlengen.icu", "singpost.red", "j4.claims", "inoteapp.net", "jrdautomotivellc.com", "xn--beaupre-6xa.com", "mypolicyportal.net", "wdgjdhpg.com", "anshulindla.com", "m981070.com", "vertentebike.com", "claim-available.com", "buyfudgybombs.com", "adfnapoli.com", "blackfuid.com", "clambakedelivered.info", "marketingworksonhold.com", "xvyj.top", "richardsonsfinest.com", "gurimix.com", "dorhop.com", "mauigrowngreencoffee.net", "juzytuu.xyz", "pokorny.industries", "floridapermitsolutions.com", "right-on-target-store.com", "ynaire.com", "nextpar.com", "disdrone.com", "fruitfulvinebirth.com", "africanfairytale.com", "leisuresabah.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Fp4grWelSC.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Fp4grWelSC.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Fp4grWelSC.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        4.0.Fp4grWelSC.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.Fp4grWelSC.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.safetyeats.asia/pnug/"], "decoy": ["natureate.com", "ita-pots.website", "sucohansmushroom.com", "produrielrosen.com", "gosystemupdatenow.online", "jiskra.art", "janwiench.com", "norfolkfoodhall.com", "iloveaddictss.com", "pogozip.com", "buyinstapva.com", "teardirectionfreedom.xyz", "0205168.com", "apaixonadosporpugs.online", "jawscoinc.com", "crafter.quest", "wikipedianow.com", "radiopuls.net", "kendama-co.com", "goodstudycanada.com", "huzhoucs.com", "asinment.com", "fuchsundrudolph.com", "arthurenathalia.com", "globalcosmeticsstudios.com", "brandrackley.com", "freemanhub.one", "utserver.online", "fullspecter.com", "wshowcase.com", "airjordanshoes-retro.com", "linguimatics.com", "app-verlengen.icu", "singpost.red", "j4.claims", "inoteapp.net", "jrdautomotivellc.com", "xn--beaupre-6xa.com", "mypolicyportal.net", "wdgjdhpg.com", "anshulindla.com", "m981070.com", "vertentebike.com", "claim-available.com", "buyfudgybombs.com", "adfnapoli.com", "blackfuid.com", "clambakedelivered.info", "marketingworksonhold.com", "xvyj.top", "richardsonsfinest.com", "gurimix.com", "dorhop.com", "mauigrowngreencoffee.net", "juzytuu.xyz", "pokorny.industries", "floridapermitsolutions.com", "right-on-target-store.com", "ynaire.com", "nextpar.com", "disdrone.com", "fruitfulvinebirth.com", "africanfairytale.com", "leisuresabah.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Fp4grWelSC.exeVirustotal: Detection: 30%Perma Link
          Source: Fp4grWelSC.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.safetyeats.asia/pnug/Avira URL Cloud: Label: malware
          Machine Learning detection for sampleShow sources
          Source: Fp4grWelSC.exeJoe Sandbox ML: detected
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Fp4grWelSC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Fp4grWelSC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdb source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,11_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,11_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,11_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,11_2_011E68BA

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.safetyeats.asia/pnug/
          Source: explorer.exe, 00000016.00000003.897084058.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.871772887.000000000466C000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.872046456.000000000466C000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.873076198.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.894500813.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.906108816.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.872317477.000000000468E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpString found in binary or memory: http://crl.v
          Source: Fp4grWelSC.exe, 00000000.00000003.665336360.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665368035.0000000005615000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665301008.0000000005615000.00000004.00000001.sdmpString found in binary or memory: http://en.wV
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Fp4grWelSC.exe, 00000000.00000003.667689980.0000000005617000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Fp4grWelSC.exe, 00000000.00000003.671658171.000000000564D000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.671734893.000000000564D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Fp4grWelSC.exe, 00000000.00000003.673630049.000000000564D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comas
          Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comldW
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667467039.0000000005614000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Fp4grWelSC.exe, 00000000.00000003.676276050.0000000005646000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.676246333.0000000005646000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Fp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Fp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnew

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Fp4grWelSC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_003720500_2_00372050
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_00D6C8840_2_00D6C884
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_00D6EC500_2_00D6EC50
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_00D6EC400_2_00D6EC40
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041D0104_2_0041D010
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B8C34_2_0041B8C3
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041CBAD4_2_0041CBAD
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00408C7B4_2_00408C7B
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00408C804_2_00408C80
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00AB20504_2_00AB2050
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F5D0A11_2_011F5D0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F350611_2_011F3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E655011_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E196911_2_011E1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D719011_2_011D7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F31DC11_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DD80311_2_011DD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DE04011_2_011DE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D9CF011_2_011D9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D48E611_2_011D48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DCB4811_2_011DCB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E5FC811_2_011E5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F6FF011_2_011F6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DFA3011_2_011DFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D522611_2_011D5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D5E7011_2_011D5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D8AD711_2_011D8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,11_2_011E374E
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004185E0 NtCreateFile,4_2_004185E0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00418690 NtReadFile,4_2_00418690
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00418710 NtClose,4_2_00418710
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004187C0 NtAllocateVirtualMemory,4_2_004187C0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041868A NtReadFile,4_2_0041868A
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041870A NtClose,4_2_0041870A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_011F6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_011FB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_011DB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_011D84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,11_2_011D58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB4C0 NtQueryInformationToken,11_2_011DB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,11_2_011DB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,11_2_011D83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F9AB4 NtSetInformationFile,11_2_011F9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,11_2_011E6550
          Source: Fp4grWelSC.exe, 00000000.00000002.688004733.00000000003DF000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainManag.exe8 vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000000.00000002.693045785.0000000006D10000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000000.685619670.0000000000B1F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainManag.exe8 vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000002.766242265.000000000361D000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000003.762703815.0000000001147000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000002.764785736.000000000179F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Fp4grWelSC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Fp4grWelSC.exeVirustotal: Detection: 30%
          Source: Fp4grWelSC.exeReversingLabs: Detection: 39%
          Source: Fp4grWelSC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe "C:\Users\user\Desktop\Fp4grWelSC.exe"
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fp4grWelSC.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@0/0
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,11_2_011FA0D2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,11_2_011DC5CA
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Fp4grWelSC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Fp4grWelSC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdb source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Fp4grWelSC.exe, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Fp4grWelSC.exe.370000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Fp4grWelSC.exe.370000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.7.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.9.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.5.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.1.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.Fp4grWelSC.exe.ab0000.1.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.2.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.3.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_0037F6EB push esp; iretd 0_2_0037F6EE
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B822 push eax; ret 4_2_0041B828
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B82B push eax; ret 4_2_0041B892
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B88C push eax; ret 4_2_0041B892
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00418AC3 push esp; iretd 4_2_00418ACC
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041747D push edi; ret 4_2_0041747E
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041CD7E push es; ret 4_2_0041CD87
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0040CD0A push es; iretd 4_2_0040CD0B
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041A5E6 push ebp; ret 4_2_0041A5E7
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B7D5 push eax; ret 4_2_0041B828
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00ABF6EB push esp; iretd 4_2_00ABF6EE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E76BD push ecx; ret 11_2_011E76D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E76D1 push ecx; ret 11_2_011E76E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74639201184

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"Jump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.28777e4.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.286f7d8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.28b65dc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Fp4grWelSC.exe PID: 7132, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Fp4grWelSC.exe, 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Fp4grWelSC.exe, 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000608604 second address: 000000000060860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 000000000060899E second address: 00000000006089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Fp4grWelSC.exe TID: 7136Thread sleep time: -34160s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exe TID: 7160Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004088D0 rdtsc 4_2_004088D0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,11_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,11_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,11_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,11_2_011E68BA
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread delayed: delay time: 34160Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000016.00000003.896790069.0000000010860000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
          Source: explorer.exe, 00000016.00000003.891009930.0000000005E6A000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000016.00000003.878772068.000000000FE98000.00000004.00000001.sdmpBinary or memory string: 11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000003.871828614.00000000046A6000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000003.891246769.000000000FE98000.00000004.00000001.sdmpBinary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000003.849361987.0000000005DD1000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%/
          Source: explorer.exe, 00000005.00000000.732278813.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000016.00000003.896790069.0000000010860000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\?
          Source: explorer.exe, 00000005.00000000.725815512.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000016.00000003.902747265.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
          Source: explorer.exe, 00000005.00000000.716995391.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000016.00000003.896978189.000000000464B000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0zN
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: @@@@````
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.725967558.0000000004791000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAX
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.713334907.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
          Source: explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00\
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O
          Source: explorer.exe, 00000005.00000000.733411384.000000000A897000.00000004.00000001.sdmpBinary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: explorer.exe, 00000016.00000003.871888644.00000000046E4000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}*
          Source: explorer.exe, 00000016.00000003.849361987.0000000005DD1000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p mode should ".
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F2258 IsDebuggerPresent,11_2_011F2258
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F1914 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,11_2_011F1914
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004088D0 rdtsc 4_2_004088D0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011FB5E0 mov eax, dword ptr fs:[00000030h]11_2_011FB5E0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00409B40 LdrLoadDll,4_2_00409B40
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E7310 SetUnhandledExceptionFilter,11_2_011E7310
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_011E6FE3

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeMemory written: C:\Users\user\Desktop\Fp4grWelSC.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"Jump to behavior
          Source: cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmpBinary or memory string: ,Program Manager
          Source: explorer.exe, 00000005.00000000.689548648.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.709918766.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.724562670.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.699520641.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp, cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.874340943.0000000004E40000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp, cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.874340943.0000000004E40000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.841376064.0000000004A69000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.842632526.0000000004A69000.00000004.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000016.00000000.853795792.0000000000B28000.00000004.00000020.sdmpBinary or memory string: ProgmansT
          Source: explorer.exe, 00000016.00000003.841476449.0000000004A2F000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.873737852.0000000004A35000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd(%
          Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.702175441.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.732418919.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Users\user\Desktop\Fp4grWelSC.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exe