Windows Analysis Report
vbc.exe

Overview

General Information

Sample Name: vbc.exe
Analysis ID: 632530
MD5: 21c7c1417e4dec1a2960197f22ae9c71
SHA1: 4bdea1a823dd1b68e8c83bddebf613883d36ef47
SHA256: 5938c544d44a8b9714eb80c498d7cbb327b55d8176541118394d3357727f3d28
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: vbc.exe Virustotal: Detection: 43% Perma Link
Source: vbc.exe ReversingLabs: Detection: 46%
Yara detected FormBook
Source: Yara match File source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe ReversingLabs: Detection: 46%
Antivirus or Machine Learning detection for unpacked file
Source: 10.0.vbc.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.vbc.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.vbc.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: vbc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: vbc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: colorcpl.pdbGCTL source: vbc.exe, 0000000A.00000002.528041573.0000000000E10000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: vbc.exe, 0000000A.00000002.528041573.0000000000E10000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 0000000A.00000002.529645470.0000000000F5F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.441322887.0000000000CA1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.528213588.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.438779181.0000000000B04000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.526754970.0000000004568000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.529829387.000000000470C000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680921020.00000000049BF000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680383209.00000000048A0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, 0000000A.00000002.529645470.0000000000F5F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.441322887.0000000000CA1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.528213588.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.438779181.0000000000B04000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000010.00000003.526754970.0000000004568000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.529829387.000000000470C000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680921020.00000000049BF000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680383209.00000000048A0000.00000040.00000800.00020000.00000000.sdmp
Source: explorer.exe, 0000001B.00000000.648885949.0000000007468000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.666488442.0000000007468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001B.00000000.648885949.0000000007468000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.666488442.0000000007468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000C.00000000.485351511.0000000008168000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.456453832.0000000008168000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.508203449.0000000008168000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: vbc.exe, 00000000.00000002.440700886.0000000003071000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: vbc.exe, 00000000.00000002.444819012.00000000071C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Creates a DirectInput object (often for capturing keystrokes)
Source: vbc.exe, 00000000.00000002.440228613.0000000001479000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.vbc.exe.7a70000.13.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.vbc.exe.7a70000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.vbc.exe.4309710.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.vbc.exe.427e8f0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.vbc.exe.4309710.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.3.vbc.exe.427e8f0.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.446561465.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: vbc.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.vbc.exe.7a70000.13.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.vbc.exe.7a70000.13.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.vbc.exe.4309710.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.vbc.exe.427e8f0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.vbc.exe.4309710.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.3.vbc.exe.427e8f0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.446561465.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0170E670 0_2_0170E670
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_0170E660 0_2_0170E660
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041E015 10_2_0041E015
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00401030 10_2_00401030
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041D931 10_2_0041D931
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041DAC3 10_2_0041DAC3
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041E4F6 10_2_0041E4F6
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041E498 10_2_0041E498
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00402D87 10_2_00402D87
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00402D90 10_2_00402D90
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041D5B6 10_2_0041D5B6
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00409E60 10_2_00409E60
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041EF56 10_2_0041EF56
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00402FB0 10_2_00402FB0
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00447F83 10_2_00447F83
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D841F 16_2_048D841F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498D466 16_2_0498D466
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2581 16_2_048F2581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049925DD 16_2_049925DD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DD5E0 16_2_048DD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04992D07 16_2_04992D07
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C0D20 16_2_048C0D20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04991D55 16_2_04991D55
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04992EF7 16_2_04992EF7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498D616 16_2_0498D616
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E6E30 16_2_048E6E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04991FF1 16_2_04991FF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DB090 16_2_048DB090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049920A8 16_2_049920A8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049928EC 16_2_049928EC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981002 16_2_04981002
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CF900 16_2_048CF900
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E4120 16_2_048E4120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049922AE 16_2_049922AE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FEBB0 16_2_048FEBB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498DBD2 16_2_0498DBD2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04992B28 16_2_04992B28
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CD931 16_2_005CD931
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CDAC3 16_2_005CDAC3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005B2D90 16_2_005B2D90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005B2D87 16_2_005B2D87
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CD5B6 16_2_005CD5B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005B9E60 16_2_005B9E60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005B2FB0 16_2_005B2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 048CB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A370 NtCreateFile, 10_2_0041A370
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A420 NtReadFile, 10_2_0041A420
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A4A0 NtClose, 10_2_0041A4A0
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A550 NtAllocateVirtualMemory, 10_2_0041A550
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A36B NtCreateFile, 10_2_0041A36B
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A41A NtReadFile, 10_2_0041A41A
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A49C NtClose, 10_2_0041A49C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049095D0 NtClose,LdrInitializeThunk, 16_2_049095D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909540 NtReadFile,LdrInitializeThunk, 16_2_04909540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049096D0 NtCreateKey,LdrInitializeThunk, 16_2_049096D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049096E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_049096E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909650 NtQueryValueKey,LdrInitializeThunk, 16_2_04909650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_04909660
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909780 NtMapViewOfSection,LdrInitializeThunk, 16_2_04909780
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909FE0 NtCreateMutant,LdrInitializeThunk, 16_2_04909FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909710 NtQueryInformationToken,LdrInitializeThunk, 16_2_04909710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909840 NtDelayExecution,LdrInitializeThunk, 16_2_04909840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_04909860
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049099A0 NtCreateSection,LdrInitializeThunk, 16_2_049099A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_04909910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909A50 NtCreateFile,LdrInitializeThunk, 16_2_04909A50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049095F0 NtQueryInformationFile, 16_2_049095F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0490AD30 NtSetContextThread, 16_2_0490AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909520 NtWaitForSingleObject, 16_2_04909520
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909560 NtWriteFile, 16_2_04909560
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909610 NtEnumerateValueKey, 16_2_04909610
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909670 NtQueryInformationProcess, 16_2_04909670
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049097A0 NtUnmapViewOfSection, 16_2_049097A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0490A710 NtOpenProcessToken, 16_2_0490A710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909730 NtQueryVirtualMemory, 16_2_04909730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0490A770 NtOpenThread, 16_2_0490A770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909770 NtSetInformationFile, 16_2_04909770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909760 NtOpenProcess, 16_2_04909760
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049098A0 NtWriteVirtualMemory, 16_2_049098A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049098F0 NtReadVirtualMemory, 16_2_049098F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909820 NtEnumerateKey, 16_2_04909820
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0490B040 NtSuspendThread, 16_2_0490B040
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049099D0 NtCreateProcessEx, 16_2_049099D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909950 NtQueueApcThread, 16_2_04909950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909A80 NtOpenDirectoryObject, 16_2_04909A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909A10 NtQuerySection, 16_2_04909A10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909A00 NtProtectVirtualMemory, 16_2_04909A00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909A20 NtResumeThread, 16_2_04909A20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0490A3B0 NtGetContextThread, 16_2_0490A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04909B00 NtSetValueKey, 16_2_04909B00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA370 NtCreateFile, 16_2_005CA370
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA420 NtReadFile, 16_2_005CA420
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA4A0 NtClose, 16_2_005CA4A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA550 NtAllocateVirtualMemory, 16_2_005CA550
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA36B NtCreateFile, 16_2_005CA36B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA41A NtReadFile, 16_2_005CA41A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA49C NtClose, 16_2_005CA49C
Sample file is different than original file name gathered from version info
Source: vbc.exe Binary or memory string: OriginalFilename vs vbc.exe
Source: vbc.exe, 00000000.00000002.446561465.0000000007A70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIVectorView.dllN vs vbc.exe
Source: vbc.exe, 00000000.00000002.440228613.0000000001479000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs vbc.exe
Source: vbc.exe, 00000000.00000003.421046648.0000000004111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIVectorView.dllN vs vbc.exe
Source: vbc.exe Binary or memory string: OriginalFilename vs vbc.exe
Source: vbc.exe, 0000000A.00000003.439252609.0000000000C1A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 0000000A.00000002.529645470.0000000000F5F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 0000000A.00000002.530529735.00000000010EF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 0000000A.00000002.528066342.0000000000E13000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamecolorcpl.exej% vs vbc.exe
Source: vbc.exe, 0000000A.00000003.441710740.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ArjxBSiwgdPJ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe Virustotal: Detection: 43%
Source: vbc.exe ReversingLabs: Detection: 46%
Source: C:\Users\user\Desktop\vbc.exe File read: C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ArjxBSiwgdPJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9226.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\vbc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ArjxBSiwgdPJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9226.tmp Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Local\Temp\tmp9226.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/8@0/0
Source: C:\Users\user\Desktop\vbc.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: vbc.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4004:120:WilError_01
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: vbc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vbc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: colorcpl.pdbGCTL source: vbc.exe, 0000000A.00000002.528041573.0000000000E10000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: colorcpl.pdb source: vbc.exe, 0000000A.00000002.528041573.0000000000E10000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 0000000A.00000002.529645470.0000000000F5F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.441322887.0000000000CA1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.528213588.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.438779181.0000000000B04000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.526754970.0000000004568000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.529829387.000000000470C000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680921020.00000000049BF000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680383209.00000000048A0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, 0000000A.00000002.529645470.0000000000F5F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.441322887.0000000000CA1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.528213588.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.438779181.0000000000B04000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000010.00000003.526754970.0000000004568000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000003.529829387.000000000470C000.00000004.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680921020.00000000049BF000.00000040.00000800.00020000.00000000.sdmp, colorcpl.exe, 00000010.00000002.680383209.00000000048A0000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: vbc.exe, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ArjxBSiwgdPJ.exe.0.dr, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.vbc.exe.ce0000.0.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.vbc.exe.ce0000.0.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.vbc.exe.440000.7.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.vbc.exe.440000.3.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.vbc.exe.440000.0.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.vbc.exe.440000.9.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.vbc.exe.440000.1.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.vbc.exe.440000.5.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.vbc.exe.440000.1.unpack, XmlGrid/Form1.cs .Net Code: DateTime System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_004171DD push eax; retf 10_2_004171DE
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00417AC9 push edi; retf 10_2_00417ACE
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041A2E3 pushad ; iretd 10_2_0041A2E4
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041D4C5 push eax; ret 10_2_0041D518
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041D57C push eax; ret 10_2_0041D582
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041D512 push eax; ret 10_2_0041D518
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0041D51B push eax; ret 10_2_0041D582
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0491D0D1 push ecx; ret 16_2_0491D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005C71DD push eax; retf 16_2_005C71DE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005C7AC9 push edi; retf 16_2_005C7ACE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CA2E3 pushad ; iretd 16_2_005CA2E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CD4C5 push eax; ret 16_2_005CD518
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CD57C push eax; ret 16_2_005CD582
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CD51B push eax; ret 16_2_005CD582
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_005CD512 push eax; ret 16_2_005CD518
Source: initial sample Static PE information: section name: .text entropy: 7.91178513936
Source: initial sample Static PE information: section name: .text entropy: 7.91178513936
Drops PE files
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ArjxBSiwgdPJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9226.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: /c del "C:\Users\user\Desktop\vbc.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: /c del "C:\Users\user\Desktop\vbc.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\vbc.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.440700886.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3756, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000000.00000002.440700886.0000000003071000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000000.00000002.440700886.0000000003071000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\vbc.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 00000000005B9904 second address: 00000000005B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 00000000005B9B7E second address: 00000000005B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vbc.exe TID: 3416 Thread sleep time: -43731s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe TID: 6048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00409AB0 rdtsc 10_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5573 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 540 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\colorcpl.exe API coverage: 9.5 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 43731 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000001B.00000000.648359310.00000000073AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}(x8
Source: vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000001B.00000000.648885949.0000000007468000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000000.648359310.00000000073AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000001B.00000000.645098211.0000000004552000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 0000000C.00000000.507248618.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 0000001B.00000000.649484380.0000000007504000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001B.00000000.645098211.0000000004552000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}5
Source: explorer.exe, 0000000C.00000000.485135419.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 0000001B.00000000.648196007.0000000007342000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000;
Source: explorer.exe, 0000001B.00000002.667449641.00000000074E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001B.00000002.666587487.0000000007495000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD)"
Source: explorer.exe, 0000001B.00000000.648359310.00000000073AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}{
Source: explorer.exe, 0000000C.00000000.469232585.00000000042EE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: explorer.exe, 0000001B.00000000.648885949.0000000007468000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000C.00000000.498915986.00000000042A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Source: explorer.exe, 0000001B.00000002.666587487.0000000007495000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9y!
Source: explorer.exe, 0000001B.00000002.664211588.00000000060DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: vbc.exe, 00000000.00000002.441113838.0000000003329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_00409AB0 rdtsc 10_2_00409AB0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D849B mov eax, dword ptr fs:[00000030h] 16_2_048D849B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04998CD6 mov eax, dword ptr fs:[00000030h] 16_2_04998CD6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049814FB mov eax, dword ptr fs:[00000030h] 16_2_049814FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946CF0 mov eax, dword ptr fs:[00000030h] 16_2_04946CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946CF0 mov eax, dword ptr fs:[00000030h] 16_2_04946CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946CF0 mov eax, dword ptr fs:[00000030h] 16_2_04946CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0499740D mov eax, dword ptr fs:[00000030h] 16_2_0499740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0499740D mov eax, dword ptr fs:[00000030h] 16_2_0499740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0499740D mov eax, dword ptr fs:[00000030h] 16_2_0499740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981C06 mov eax, dword ptr fs:[00000030h] 16_2_04981C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946C0A mov eax, dword ptr fs:[00000030h] 16_2_04946C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946C0A mov eax, dword ptr fs:[00000030h] 16_2_04946C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946C0A mov eax, dword ptr fs:[00000030h] 16_2_04946C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946C0A mov eax, dword ptr fs:[00000030h] 16_2_04946C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FBC2C mov eax, dword ptr fs:[00000030h] 16_2_048FBC2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FA44B mov eax, dword ptr fs:[00000030h] 16_2_048FA44B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495C450 mov eax, dword ptr fs:[00000030h] 16_2_0495C450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495C450 mov eax, dword ptr fs:[00000030h] 16_2_0495C450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E746D mov eax, dword ptr fs:[00000030h] 16_2_048E746D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C2D8A mov eax, dword ptr fs:[00000030h] 16_2_048C2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C2D8A mov eax, dword ptr fs:[00000030h] 16_2_048C2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C2D8A mov eax, dword ptr fs:[00000030h] 16_2_048C2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C2D8A mov eax, dword ptr fs:[00000030h] 16_2_048C2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C2D8A mov eax, dword ptr fs:[00000030h] 16_2_048C2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2581 mov eax, dword ptr fs:[00000030h] 16_2_048F2581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2581 mov eax, dword ptr fs:[00000030h] 16_2_048F2581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2581 mov eax, dword ptr fs:[00000030h] 16_2_048F2581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2581 mov eax, dword ptr fs:[00000030h] 16_2_048F2581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FFD9B mov eax, dword ptr fs:[00000030h] 16_2_048FFD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FFD9B mov eax, dword ptr fs:[00000030h] 16_2_048FFD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F35A1 mov eax, dword ptr fs:[00000030h] 16_2_048F35A1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049905AC mov eax, dword ptr fs:[00000030h] 16_2_049905AC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049905AC mov eax, dword ptr fs:[00000030h] 16_2_049905AC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F1DB5 mov eax, dword ptr fs:[00000030h] 16_2_048F1DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F1DB5 mov eax, dword ptr fs:[00000030h] 16_2_048F1DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F1DB5 mov eax, dword ptr fs:[00000030h] 16_2_048F1DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946DC9 mov eax, dword ptr fs:[00000030h] 16_2_04946DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946DC9 mov eax, dword ptr fs:[00000030h] 16_2_04946DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946DC9 mov eax, dword ptr fs:[00000030h] 16_2_04946DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946DC9 mov ecx, dword ptr fs:[00000030h] 16_2_04946DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946DC9 mov eax, dword ptr fs:[00000030h] 16_2_04946DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04946DC9 mov eax, dword ptr fs:[00000030h] 16_2_04946DC9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04978DF1 mov eax, dword ptr fs:[00000030h] 16_2_04978DF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DD5E0 mov eax, dword ptr fs:[00000030h] 16_2_048DD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DD5E0 mov eax, dword ptr fs:[00000030h] 16_2_048DD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0498FDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0498FDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0498FDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0498FDE2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498E539 mov eax, dword ptr fs:[00000030h] 16_2_0498E539
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0494A537 mov eax, dword ptr fs:[00000030h] 16_2_0494A537
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04998D34 mov eax, dword ptr fs:[00000030h] 16_2_04998D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F4D3B mov eax, dword ptr fs:[00000030h] 16_2_048F4D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F4D3B mov eax, dword ptr fs:[00000030h] 16_2_048F4D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F4D3B mov eax, dword ptr fs:[00000030h] 16_2_048F4D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D3D34 mov eax, dword ptr fs:[00000030h] 16_2_048D3D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CAD30 mov eax, dword ptr fs:[00000030h] 16_2_048CAD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04903D43 mov eax, dword ptr fs:[00000030h] 16_2_04903D43
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04943540 mov eax, dword ptr fs:[00000030h] 16_2_04943540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E7D50 mov eax, dword ptr fs:[00000030h] 16_2_048E7D50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EC577 mov eax, dword ptr fs:[00000030h] 16_2_048EC577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EC577 mov eax, dword ptr fs:[00000030h] 16_2_048EC577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495FE87 mov eax, dword ptr fs:[00000030h] 16_2_0495FE87
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049446A7 mov eax, dword ptr fs:[00000030h] 16_2_049446A7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04990EA5 mov eax, dword ptr fs:[00000030h] 16_2_04990EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04990EA5 mov eax, dword ptr fs:[00000030h] 16_2_04990EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04990EA5 mov eax, dword ptr fs:[00000030h] 16_2_04990EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F36CC mov eax, dword ptr fs:[00000030h] 16_2_048F36CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04998ED6 mov eax, dword ptr fs:[00000030h] 16_2_04998ED6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0497FEC0 mov eax, dword ptr fs:[00000030h] 16_2_0497FEC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04908EC7 mov eax, dword ptr fs:[00000030h] 16_2_04908EC7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F16E0 mov ecx, dword ptr fs:[00000030h] 16_2_048F16E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D76E2 mov eax, dword ptr fs:[00000030h] 16_2_048D76E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CC600 mov eax, dword ptr fs:[00000030h] 16_2_048CC600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CC600 mov eax, dword ptr fs:[00000030h] 16_2_048CC600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CC600 mov eax, dword ptr fs:[00000030h] 16_2_048CC600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F8E00 mov eax, dword ptr fs:[00000030h] 16_2_048F8E00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04981608 mov eax, dword ptr fs:[00000030h] 16_2_04981608
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FA61C mov eax, dword ptr fs:[00000030h] 16_2_048FA61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FA61C mov eax, dword ptr fs:[00000030h] 16_2_048FA61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0497FE3F mov eax, dword ptr fs:[00000030h] 16_2_0497FE3F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CE620 mov eax, dword ptr fs:[00000030h] 16_2_048CE620
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D7E41 mov eax, dword ptr fs:[00000030h] 16_2_048D7E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D7E41 mov eax, dword ptr fs:[00000030h] 16_2_048D7E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D7E41 mov eax, dword ptr fs:[00000030h] 16_2_048D7E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D7E41 mov eax, dword ptr fs:[00000030h] 16_2_048D7E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D7E41 mov eax, dword ptr fs:[00000030h] 16_2_048D7E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D7E41 mov eax, dword ptr fs:[00000030h] 16_2_048D7E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498AE44 mov eax, dword ptr fs:[00000030h] 16_2_0498AE44
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498AE44 mov eax, dword ptr fs:[00000030h] 16_2_0498AE44
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D766D mov eax, dword ptr fs:[00000030h] 16_2_048D766D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EAE73 mov eax, dword ptr fs:[00000030h] 16_2_048EAE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EAE73 mov eax, dword ptr fs:[00000030h] 16_2_048EAE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EAE73 mov eax, dword ptr fs:[00000030h] 16_2_048EAE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EAE73 mov eax, dword ptr fs:[00000030h] 16_2_048EAE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EAE73 mov eax, dword ptr fs:[00000030h] 16_2_048EAE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04947794 mov eax, dword ptr fs:[00000030h] 16_2_04947794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04947794 mov eax, dword ptr fs:[00000030h] 16_2_04947794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04947794 mov eax, dword ptr fs:[00000030h] 16_2_04947794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D8794 mov eax, dword ptr fs:[00000030h] 16_2_048D8794
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049037F5 mov eax, dword ptr fs:[00000030h] 16_2_049037F5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FA70E mov eax, dword ptr fs:[00000030h] 16_2_048FA70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FA70E mov eax, dword ptr fs:[00000030h] 16_2_048FA70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495FF10 mov eax, dword ptr fs:[00000030h] 16_2_0495FF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495FF10 mov eax, dword ptr fs:[00000030h] 16_2_0495FF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0499070D mov eax, dword ptr fs:[00000030h] 16_2_0499070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0499070D mov eax, dword ptr fs:[00000030h] 16_2_0499070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EF716 mov eax, dword ptr fs:[00000030h] 16_2_048EF716
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C4F2E mov eax, dword ptr fs:[00000030h] 16_2_048C4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C4F2E mov eax, dword ptr fs:[00000030h] 16_2_048C4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FE730 mov eax, dword ptr fs:[00000030h] 16_2_048FE730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DEF40 mov eax, dword ptr fs:[00000030h] 16_2_048DEF40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DFF60 mov eax, dword ptr fs:[00000030h] 16_2_048DFF60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04998F6A mov eax, dword ptr fs:[00000030h] 16_2_04998F6A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9080 mov eax, dword ptr fs:[00000030h] 16_2_048C9080
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04943884 mov eax, dword ptr fs:[00000030h] 16_2_04943884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04943884 mov eax, dword ptr fs:[00000030h] 16_2_04943884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 mov eax, dword ptr fs:[00000030h] 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 mov eax, dword ptr fs:[00000030h] 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 mov eax, dword ptr fs:[00000030h] 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 mov eax, dword ptr fs:[00000030h] 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 mov eax, dword ptr fs:[00000030h] 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F20A0 mov eax, dword ptr fs:[00000030h] 16_2_048F20A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FF0BF mov ecx, dword ptr fs:[00000030h] 16_2_048FF0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FF0BF mov eax, dword ptr fs:[00000030h] 16_2_048FF0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FF0BF mov eax, dword ptr fs:[00000030h] 16_2_048FF0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049090AF mov eax, dword ptr fs:[00000030h] 16_2_049090AF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0495B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495B8D0 mov ecx, dword ptr fs:[00000030h] 16_2_0495B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0495B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0495B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0495B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0495B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0495B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C58EC mov eax, dword ptr fs:[00000030h] 16_2_048C58EC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04947016 mov eax, dword ptr fs:[00000030h] 16_2_04947016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04947016 mov eax, dword ptr fs:[00000030h] 16_2_04947016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04947016 mov eax, dword ptr fs:[00000030h] 16_2_04947016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04994015 mov eax, dword ptr fs:[00000030h] 16_2_04994015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04994015 mov eax, dword ptr fs:[00000030h] 16_2_04994015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F002D mov eax, dword ptr fs:[00000030h] 16_2_048F002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F002D mov eax, dword ptr fs:[00000030h] 16_2_048F002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F002D mov eax, dword ptr fs:[00000030h] 16_2_048F002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F002D mov eax, dword ptr fs:[00000030h] 16_2_048F002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F002D mov eax, dword ptr fs:[00000030h] 16_2_048F002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DB02A mov eax, dword ptr fs:[00000030h] 16_2_048DB02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DB02A mov eax, dword ptr fs:[00000030h] 16_2_048DB02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DB02A mov eax, dword ptr fs:[00000030h] 16_2_048DB02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DB02A mov eax, dword ptr fs:[00000030h] 16_2_048DB02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E0050 mov eax, dword ptr fs:[00000030h] 16_2_048E0050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E0050 mov eax, dword ptr fs:[00000030h] 16_2_048E0050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04982073 mov eax, dword ptr fs:[00000030h] 16_2_04982073
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04991074 mov eax, dword ptr fs:[00000030h] 16_2_04991074
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FA185 mov eax, dword ptr fs:[00000030h] 16_2_048FA185
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EC182 mov eax, dword ptr fs:[00000030h] 16_2_048EC182
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2990 mov eax, dword ptr fs:[00000030h] 16_2_048F2990
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049451BE mov eax, dword ptr fs:[00000030h] 16_2_049451BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049451BE mov eax, dword ptr fs:[00000030h] 16_2_049451BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049451BE mov eax, dword ptr fs:[00000030h] 16_2_049451BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049451BE mov eax, dword ptr fs:[00000030h] 16_2_049451BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F61A0 mov eax, dword ptr fs:[00000030h] 16_2_048F61A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F61A0 mov eax, dword ptr fs:[00000030h] 16_2_048F61A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049469A6 mov eax, dword ptr fs:[00000030h] 16_2_049469A6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CB1E1 mov eax, dword ptr fs:[00000030h] 16_2_048CB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CB1E1 mov eax, dword ptr fs:[00000030h] 16_2_048CB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CB1E1 mov eax, dword ptr fs:[00000030h] 16_2_048CB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049541E8 mov eax, dword ptr fs:[00000030h] 16_2_049541E8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9100 mov eax, dword ptr fs:[00000030h] 16_2_048C9100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9100 mov eax, dword ptr fs:[00000030h] 16_2_048C9100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9100 mov eax, dword ptr fs:[00000030h] 16_2_048C9100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E4120 mov eax, dword ptr fs:[00000030h] 16_2_048E4120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E4120 mov eax, dword ptr fs:[00000030h] 16_2_048E4120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E4120 mov eax, dword ptr fs:[00000030h] 16_2_048E4120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E4120 mov eax, dword ptr fs:[00000030h] 16_2_048E4120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E4120 mov ecx, dword ptr fs:[00000030h] 16_2_048E4120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F513A mov eax, dword ptr fs:[00000030h] 16_2_048F513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F513A mov eax, dword ptr fs:[00000030h] 16_2_048F513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EB944 mov eax, dword ptr fs:[00000030h] 16_2_048EB944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EB944 mov eax, dword ptr fs:[00000030h] 16_2_048EB944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CC962 mov eax, dword ptr fs:[00000030h] 16_2_048CC962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CB171 mov eax, dword ptr fs:[00000030h] 16_2_048CB171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CB171 mov eax, dword ptr fs:[00000030h] 16_2_048CB171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FD294 mov eax, dword ptr fs:[00000030h] 16_2_048FD294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FD294 mov eax, dword ptr fs:[00000030h] 16_2_048FD294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C52A5 mov eax, dword ptr fs:[00000030h] 16_2_048C52A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C52A5 mov eax, dword ptr fs:[00000030h] 16_2_048C52A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C52A5 mov eax, dword ptr fs:[00000030h] 16_2_048C52A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C52A5 mov eax, dword ptr fs:[00000030h] 16_2_048C52A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C52A5 mov eax, dword ptr fs:[00000030h] 16_2_048C52A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DAAB0 mov eax, dword ptr fs:[00000030h] 16_2_048DAAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048DAAB0 mov eax, dword ptr fs:[00000030h] 16_2_048DAAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FFAB0 mov eax, dword ptr fs:[00000030h] 16_2_048FFAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2ACB mov eax, dword ptr fs:[00000030h] 16_2_048F2ACB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2AE4 mov eax, dword ptr fs:[00000030h] 16_2_048F2AE4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D8A0A mov eax, dword ptr fs:[00000030h] 16_2_048D8A0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498AA16 mov eax, dword ptr fs:[00000030h] 16_2_0498AA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498AA16 mov eax, dword ptr fs:[00000030h] 16_2_0498AA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048E3A1C mov eax, dword ptr fs:[00000030h] 16_2_048E3A1C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CAA16 mov eax, dword ptr fs:[00000030h] 16_2_048CAA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CAA16 mov eax, dword ptr fs:[00000030h] 16_2_048CAA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C5210 mov eax, dword ptr fs:[00000030h] 16_2_048C5210
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C5210 mov ecx, dword ptr fs:[00000030h] 16_2_048C5210
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C5210 mov eax, dword ptr fs:[00000030h] 16_2_048C5210
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C5210 mov eax, dword ptr fs:[00000030h] 16_2_048C5210
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04904A2C mov eax, dword ptr fs:[00000030h] 16_2_04904A2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04904A2C mov eax, dword ptr fs:[00000030h] 16_2_04904A2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04954257 mov eax, dword ptr fs:[00000030h] 16_2_04954257
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9240 mov eax, dword ptr fs:[00000030h] 16_2_048C9240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9240 mov eax, dword ptr fs:[00000030h] 16_2_048C9240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9240 mov eax, dword ptr fs:[00000030h] 16_2_048C9240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048C9240 mov eax, dword ptr fs:[00000030h] 16_2_048C9240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498EA55 mov eax, dword ptr fs:[00000030h] 16_2_0498EA55
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0490927A mov eax, dword ptr fs:[00000030h] 16_2_0490927A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0497B260 mov eax, dword ptr fs:[00000030h] 16_2_0497B260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0497B260 mov eax, dword ptr fs:[00000030h] 16_2_0497B260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04998A62 mov eax, dword ptr fs:[00000030h] 16_2_04998A62
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D1B8F mov eax, dword ptr fs:[00000030h] 16_2_048D1B8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048D1B8F mov eax, dword ptr fs:[00000030h] 16_2_048D1B8F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498138A mov eax, dword ptr fs:[00000030h] 16_2_0498138A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0497D380 mov ecx, dword ptr fs:[00000030h] 16_2_0497D380
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F2397 mov eax, dword ptr fs:[00000030h] 16_2_048F2397
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048FB390 mov eax, dword ptr fs:[00000030h] 16_2_048FB390
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F4BAD mov eax, dword ptr fs:[00000030h] 16_2_048F4BAD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F4BAD mov eax, dword ptr fs:[00000030h] 16_2_048F4BAD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F4BAD mov eax, dword ptr fs:[00000030h] 16_2_048F4BAD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04995BA5 mov eax, dword ptr fs:[00000030h] 16_2_04995BA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049453CA mov eax, dword ptr fs:[00000030h] 16_2_049453CA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_049453CA mov eax, dword ptr fs:[00000030h] 16_2_049453CA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048EDBE9 mov eax, dword ptr fs:[00000030h] 16_2_048EDBE9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F03E2 mov eax, dword ptr fs:[00000030h] 16_2_048F03E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F03E2 mov eax, dword ptr fs:[00000030h] 16_2_048F03E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F03E2 mov eax, dword ptr fs:[00000030h] 16_2_048F03E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F03E2 mov eax, dword ptr fs:[00000030h] 16_2_048F03E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F03E2 mov eax, dword ptr fs:[00000030h] 16_2_048F03E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F03E2 mov eax, dword ptr fs:[00000030h] 16_2_048F03E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0498131B mov eax, dword ptr fs:[00000030h] 16_2_0498131B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04998B58 mov eax, dword ptr fs:[00000030h] 16_2_04998B58
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CDB40 mov eax, dword ptr fs:[00000030h] 16_2_048CDB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CF358 mov eax, dword ptr fs:[00000030h] 16_2_048CF358
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048CDB60 mov ecx, dword ptr fs:[00000030h] 16_2_048CDB60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F3B7A mov eax, dword ptr fs:[00000030h] 16_2_048F3B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_048F3B7A mov eax, dword ptr fs:[00000030h] 16_2_048F3B7A
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\vbc.exe Code function: 10_2_0040ACF0 LdrLoadDll, 10_2_0040ACF0
Source: C:\Users\user\Desktop\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\vbc.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: D70000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\vbc.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 3688 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ArjxBSiwgdPJ.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ArjxBSiwgdPJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9226.tmp Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\vbc.exe" Jump to behavior
Source: explorer.exe, 0000001B.00000000.645098211.0000000004552000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.662877603.0000000004552000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmann
Source: explorer.exe, 0000000C.00000000.559746244.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.467122832.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.445033914.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.445033914.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.467590887.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.466525197.0000000000778000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.445033914.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.467590887.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.561030469.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.445033914.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.467590887.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.561030469.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 10.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.vbc.exe.41c4598.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.441872504.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527059219.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.434511328.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679901222.0000000004590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.679750293.0000000004560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.489673549.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.432195790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.678413913.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.527575216.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.512379636.000000000ECD3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.526456161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632530 Sample: vbc.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 vbc.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\...\ArjxBSiwgdPJ.exe, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp9226.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 10->40 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 10->50 52 Adds a directory exclusion to Windows Defender 10->52 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 vbc.exe 10->14         started        17 powershell.exe 24 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 colorcpl.exe 21->27         started        signatures10 56 Self deletion via cmd delete 27->56 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        32 explorer.exe 115 27->32         started        process11 process12 34 conhost.exe 30->34         started       
No contacted IP infos

Contacted Domains

Name IP Active
dual-a-0001.dc-msedge.net 131.253.33.200 true