Windows Analysis Report
vbc.exe

Overview

General Information

Sample Name: vbc.exe
Analysis ID: 680430
MD5: 2fd70987e440c0351b1ce6ba45568868
SHA1: 1fbf7460b77d6335ca56f5dd0bf274049436ab62
SHA256: 46b08ac7a1a467f9d8053aaf6853500a32fd5c4b1acd747a9a83134f59115424
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: vbc.exe ReversingLabs: Detection: 14%
Yara detected FormBook
Source: Yara match File source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe ReversingLabs: Detection: 14%
Antivirus or Machine Learning detection for unpacked file
Source: 9.0.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.danetsystem.com/x8ut/"], "decoy": ["mUYLEBuVKFsO", "Bi9gZRFSHUmFLCtq/7U=", "FbmmfzSUYXSePwRymyniT3oEeK79", "udVNLrDQnqjROz4uqn9FqdOIYA==", "W0IuGtY0/QXuXQlo6ZRWeMvJhq31", "q7sxIMoN9y2Sjda8WFtJqdOIYA==", "wUCsjyxXWHJujLSbJQn3ImshLMYdSfw=", "YpHPPzxXNnlwnTzt0BbJ+Gjk", "YZTMKoDNnNdjWIFKPH3rXqns", "bxHZySM5zymSNA==", "znV02t/6orjqlYeiGr8=", "eygnfJgRpsibwQz6pg==", "Hkt+9xJAGS3rTUoouw==", "z/Fq9d3ksMa/rlCa", "ALeXgBFSDRF6Y45Q+wR8neDWE+8=", "u2QZIK+8sOklBZ34rw==", "ex3XYKf3ts9aBPnUV086qdOIYA==", "ttMVj0CBfsW/rlCa", "AydNsr7ejaGWvyGUJxB0oPU=", "fyo5sLzbrL+LoUYbsg==", "TmpyUx16WZvOfTouuA==", "f2ynAEXel84KdWYxtmAnVsQGYniCS3DM", "Zfzu7VZxWY/OfTouuA==", "iX+zJSo39iLyFrcIILqnyDS8Tx27dQ==", "35RMMbTZuedQA1YWqrG+81cNyiWoIOJwxA==", "b4P0Wpj+tMa/rlCa", "ZgB2UP1xPsqI7j/w70o8qdOIYA==", "0PN1YODem705EyNKc9KSwf0=", "KhvWi6bMp/UxYSc=", "DCx4mMdtzloIgDg=", "mAa2j+gmr9VD5u/2x4Vwkg==", "wKyp/gqNP18T", "PxUPcIGYd6eavi6fuC7rXqns", "03x33AUsGmpV0u3/Xn05mvM=", "O2+Z/P4Y8icXike0KxB0oPU=", "kge9qTmWeMa25oeiGr8=", "AC9QRQ5zHYN69b4wWbc=", "G0d95OYE4loIgDg=", "Og0cip/Yj6/oklGuvysuRbsrOMS1DPQ=", "fOloUMXKx/koBZ34rw==", "AyNYruhCG1QLLmqFB71/", "OGOK8gcyAT1pEjUMx4Vwkg==", "0fd+BEOuhM/V8mC40g7OPUK+eQ==", "bxgH4qb2trOk4oeiGr8=", "xjKwL1qcX2vRyGr91Gto", "xjCeFGLgrMOLoUYbsg==", "gZ8Tgsw3DET86p2yzWpq", "VL9udRpGzymSNA==", "07D5V6EvzymSNA==", "z3sjDrwI+SdrIPdh4pNKqNLLXGy7HfQ=", "eLHjUiyXeLfZfV791Gto", "EEdy5PwP1uqjwfK8WEcEYZdVLb+afQ==", "cG6wIP7vzhCcOST6x4Vwkg==", "JiEkhou0n8a/rlCa", "MaJQKY6IRvS/rlCa", "/uvi2Z4G8DFb/xNT5KY=", "DTlm3fpB7gAy26A3FpaSzP0=", "cRPDizBcKjfwIcY5ZPXnGo7O6zFHPm7K", "B7dhSMi6kc0x5vP0x4Vwkg==", "y7zoUktTNl0Qb2A74r9g", "DQpAv9TzwMm/rlCa", "4VH0zD4z+wgXwjWQ", "jKP03nOMcHi1lAFkZrc=", "kTfm0oHkyfN2Jg3g1ge02lD8vSGlIOJwxA=="]}
Uses 32bit PE files
Source: vbc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vbc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WWAHost.pdb source: vbc.exe, 00000009.00000003.555578361.000000000707C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.553653065.0000000006F96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: vbc.exe, 00000009.00000003.555578361.000000000707C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.553653065.0000000006F96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000009.00000002.564704309.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.427253872.0000000000AD8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.430940058.0000000005019000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.635691665.0000000003FDF000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.628890268.0000000003EC0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.571447975.0000000003D28000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.563307604.0000000003B90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.564704309.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.427253872.0000000000AD8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.430940058.0000000005019000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.635691665.0000000003FDF000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.628890268.0000000003EC0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.571447975.0000000003D28000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.563307604.0000000003B90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vbc.pdb source: WWAHost.exe, 00000014.00000002.637495288.00000000041F1000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: vbc.exe, type: SAMPLE
Source: Yara match File source: 0.0.vbc.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe, type: DROPPED
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.danetsystem.com/x8ut/
Source: vbc.exe, svyewSjGVGtgt.exe.0.dr String found in binary or memory: http://boards.4chan.org/b/
Source: vbc.exe, svyewSjGVGtgt.exe.0.dr String found in binary or memory: http://boards.4chan.org3Retrieving
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: vbc.exe, svyewSjGVGtgt.exe.0.dr String found in binary or memory: http://images.4chan.org/
Source: explorer.exe, 0000000D.00000000.482694490.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.437285891.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.514496245.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.582671646.00000000026D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobY
Source: vbc.exe, 00000000.00000002.433034346.0000000002ADD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.362484787.000000000110C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: vbc.exe, 00000000.00000003.362484787.000000000110C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com=
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: vbc.exe, 00000000.00000002.441794995.0000000006B22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.reisdafavela.com

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: vbc.exe PID: 6192, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: vbc.exe PID: 6748, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: WWAHost.exe PID: 6432, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: vbc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: vbc.exe PID: 6192, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 6748, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: WWAHost.exe PID: 6432, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_00F83DC4 0_2_00F83DC4
Source: C:\Users\user\Desktop\vbc.exe Code function: 0_2_00F88458 0_2_00F88458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A2D07 9_2_052A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D0D20 9_2_051D0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A1D55 9_2_052A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202581 9_2_05202581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A25DD 9_2_052A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051ED5E0 9_2_051ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E841F 9_2_051E841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529D466 9_2_0529D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A1FF1 9_2_052A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052ADFCE 9_2_052ADFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F6E30 9_2_051F6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529D616 9_2_0529D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A2EF7 9_2_052A2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DF900 9_2_051DF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F4120 9_2_051F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052AE824 9_2_052AE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291002 9_2_05291002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA830 9_2_051FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A20A8 9_2_052A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EB090 9_2_051EB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A28EC 9_2_052A28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A2B28 9_2_052A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FAB40 9_2_051FAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520EBB0 9_2_0520EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052903DA 9_2_052903DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529DBD2 9_2_0529DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0528FA2B 9_2_0528FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A22AE 9_2_052A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0041FA7F 9_2_0041FA7F
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 051DB150 appears 54 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219540 NtReadFile,LdrInitializeThunk, 9_2_05219540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052195D0 NtClose,LdrInitializeThunk, 9_2_052195D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219710 NtQueryInformationToken,LdrInitializeThunk, 9_2_05219710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052197A0 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_052197A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219780 NtMapViewOfSection,LdrInitializeThunk, 9_2_05219780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219FE0 NtCreateMutant,LdrInitializeThunk, 9_2_05219FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_05219660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052196E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_052196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_05219910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052199A0 NtCreateSection,LdrInitializeThunk, 9_2_052199A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_05219860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219840 NtDelayExecution,LdrInitializeThunk, 9_2_05219840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052198F0 NtReadVirtualMemory,LdrInitializeThunk, 9_2_052198F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219A20 NtResumeThread,LdrInitializeThunk, 9_2_05219A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219A00 NtProtectVirtualMemory,LdrInitializeThunk, 9_2_05219A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219A50 NtCreateFile,LdrInitializeThunk, 9_2_05219A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219520 NtWaitForSingleObject, 9_2_05219520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0521AD30 NtSetContextThread, 9_2_0521AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219560 NtWriteFile, 9_2_05219560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052195F0 NtQueryInformationFile, 9_2_052195F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219730 NtQueryVirtualMemory, 9_2_05219730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0521A710 NtOpenProcessToken, 9_2_0521A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219760 NtOpenProcess, 9_2_05219760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0521A770 NtOpenThread, 9_2_0521A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219770 NtSetInformationFile, 9_2_05219770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219610 NtEnumerateValueKey, 9_2_05219610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219670 NtQueryInformationProcess, 9_2_05219670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219650 NtQueryValueKey, 9_2_05219650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052196D0 NtCreateKey, 9_2_052196D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219950 NtQueueApcThread, 9_2_05219950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052199D0 NtCreateProcessEx, 9_2_052199D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219820 NtEnumerateKey, 9_2_05219820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0521B040 NtSuspendThread, 9_2_0521B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052198A0 NtWriteVirtualMemory, 9_2_052198A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219B00 NtSetValueKey, 9_2_05219B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0521A3B0 NtGetContextThread, 9_2_0521A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219A10 NtQuerySection, 9_2_05219A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219A80 NtOpenDirectoryObject, 9_2_05219A80
Sample file is different than original file name gathered from version info
Source: vbc.exe, 00000000.00000002.444943649.0000000007270000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs vbc.exe
Source: vbc.exe, 00000000.00000002.445337631.0000000007480000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs vbc.exe
Source: vbc.exe, 00000000.00000003.392575546.00000000070A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs vbc.exe
Source: vbc.exe, 00000000.00000003.399577917.00000000070AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArraySortHel.exe: vs vbc.exe
Source: vbc.exe, 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs vbc.exe
Source: vbc.exe, 00000000.00000000.352266818.0000000000749000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameArraySortHel.exe: vs vbc.exe
Source: vbc.exe, 00000000.00000002.444764428.0000000007240000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs vbc.exe
Source: vbc.exe, 00000009.00000002.572038422.00000000052CF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 00000009.00000003.428640673.0000000000BEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe, 00000009.00000003.553653065.0000000006F96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs vbc.exe
Source: vbc.exe, 00000009.00000003.431899246.0000000005138000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs vbc.exe
Source: vbc.exe Binary or memory string: OriginalFilenameArraySortHel.exe: vs vbc.exe
PE file contains strange resources
Source: vbc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svyewSjGVGtgt.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svyewSjGVGtgt.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vbc.exe ReversingLabs: Detection: 14%
Source: C:\Users\user\Desktop\vbc.exe File read: C:\Users\user\Desktop\vbc.exe Jump to behavior
Source: vbc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\svyewSjGVGtgt" /XML "C:\Users\user\AppData\Local\Temp\tmp8F67.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\svyewSjGVGtgt" /XML "C:\Users\user\AppData\Local\Temp\tmp8F67.tmp Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Local\Temp\tmp8F67.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/8@2/0
Source: C:\Users\user\Desktop\vbc.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: vbc.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
Source: C:\Users\user\Desktop\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\XUUJrsTtOidedgINUG
Source: vbc.exe, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.cs Cryptographic APIs: 'TransformBlock'
Source: vbc.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: vbc.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: vbc.exe, Scraper/frmMain.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: svyewSjGVGtgt.exe.0.dr, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.cs Cryptographic APIs: 'TransformBlock'
Source: svyewSjGVGtgt.exe.0.dr, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: svyewSjGVGtgt.exe.0.dr, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: svyewSjGVGtgt.exe.0.dr, Scraper/frmMain.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.vbc.exe.660000.0.unpack, Scraper/frmMain.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: vbc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vbc.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WWAHost.pdb source: vbc.exe, 00000009.00000003.555578361.000000000707C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.553653065.0000000006F96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: vbc.exe, 00000009.00000003.555578361.000000000707C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.553653065.0000000006F96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000009.00000002.564704309.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.427253872.0000000000AD8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.430940058.0000000005019000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.635691665.0000000003FDF000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.628890268.0000000003EC0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.571447975.0000000003D28000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.563307604.0000000003B90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000002.564704309.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.427253872.0000000000AD8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.430940058.0000000005019000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.635691665.0000000003FDF000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000002.628890268.0000000003EC0000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.571447975.0000000003D28000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 00000014.00000003.563307604.0000000003B90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vbc.pdb source: WWAHost.exe, 00000014.00000002.637495288.00000000041F1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: vbc.exe, Scraper/frmMain.cs .Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svyewSjGVGtgt.exe.0.dr, Scraper/frmMain.cs .Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.vbc.exe.660000.0.unpack, Scraper/frmMain.cs .Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0522D0D1 push ecx; ret 9_2_0522D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.58951432122368
Source: initial sample Static PE information: section name: .text entropy: 7.58951432122368
Drops PE files
Source: C:\Users\user\Desktop\vbc.exe File created: C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\svyewSjGVGtgt" /XML "C:\Users\user\AppData\Local\Temp\tmp8F67.tmp
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.433034346.0000000002ADD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6192, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000000.00000002.433034346.0000000002ADD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000000.00000002.433034346.0000000002ADD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vbc.exe TID: 6196 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe TID: 6212 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6652 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05216DE6 rdtsc 9_2_05216DE6
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9343 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe API coverage: 5.6 %
Source: C:\Users\user\Desktop\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000D.00000000.494640049.0000000006389000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000D.00000000.524510937.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 0000000D.00000000.524510937.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000D.00000000.484646435.0000000004150000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: explorer.exe, 0000000D.00000000.524510937.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
Source: explorer.exe, 0000000D.00000000.525066443.0000000007D2A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.524510937.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00Iy
Source: vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000D.00000000.499146548.0000000007CC2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
Source: vbc.exe, 00000000.00000002.435077515.0000000002D26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05216DE6 rdtsc 9_2_05216DE6
Enables debug privileges
Source: C:\Users\user\Desktop\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529E539 mov eax, dword ptr fs:[00000030h] 9_2_0529E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0525A537 mov eax, dword ptr fs:[00000030h] 9_2_0525A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05204D3B mov eax, dword ptr fs:[00000030h] 9_2_05204D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05204D3B mov eax, dword ptr fs:[00000030h] 9_2_05204D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05204D3B mov eax, dword ptr fs:[00000030h] 9_2_05204D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A8D34 mov eax, dword ptr fs:[00000030h] 9_2_052A8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E3D34 mov eax, dword ptr fs:[00000030h] 9_2_051E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DAD30 mov eax, dword ptr fs:[00000030h] 9_2_051DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F7D50 mov eax, dword ptr fs:[00000030h] 9_2_051F7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05213D43 mov eax, dword ptr fs:[00000030h] 9_2_05213D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05253540 mov eax, dword ptr fs:[00000030h] 9_2_05253540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FC577 mov eax, dword ptr fs:[00000030h] 9_2_051FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FC577 mov eax, dword ptr fs:[00000030h] 9_2_051FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05283D40 mov eax, dword ptr fs:[00000030h] 9_2_05283D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052035A1 mov eax, dword ptr fs:[00000030h] 9_2_052035A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A05AC mov eax, dword ptr fs:[00000030h] 9_2_052A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A05AC mov eax, dword ptr fs:[00000030h] 9_2_052A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05201DB5 mov eax, dword ptr fs:[00000030h] 9_2_05201DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05201DB5 mov eax, dword ptr fs:[00000030h] 9_2_05201DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05201DB5 mov eax, dword ptr fs:[00000030h] 9_2_05201DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D2D8A mov eax, dword ptr fs:[00000030h] 9_2_051D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D2D8A mov eax, dword ptr fs:[00000030h] 9_2_051D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D2D8A mov eax, dword ptr fs:[00000030h] 9_2_051D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D2D8A mov eax, dword ptr fs:[00000030h] 9_2_051D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D2D8A mov eax, dword ptr fs:[00000030h] 9_2_051D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202581 mov eax, dword ptr fs:[00000030h] 9_2_05202581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202581 mov eax, dword ptr fs:[00000030h] 9_2_05202581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202581 mov eax, dword ptr fs:[00000030h] 9_2_05202581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202581 mov eax, dword ptr fs:[00000030h] 9_2_05202581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520FD9B mov eax, dword ptr fs:[00000030h] 9_2_0520FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520FD9B mov eax, dword ptr fs:[00000030h] 9_2_0520FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0529FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0529FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0529FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0529FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05288DF1 mov eax, dword ptr fs:[00000030h] 9_2_05288DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256DC9 mov eax, dword ptr fs:[00000030h] 9_2_05256DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256DC9 mov eax, dword ptr fs:[00000030h] 9_2_05256DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256DC9 mov eax, dword ptr fs:[00000030h] 9_2_05256DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256DC9 mov ecx, dword ptr fs:[00000030h] 9_2_05256DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256DC9 mov eax, dword ptr fs:[00000030h] 9_2_05256DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256DC9 mov eax, dword ptr fs:[00000030h] 9_2_05256DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051ED5E0 mov eax, dword ptr fs:[00000030h] 9_2_051ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051ED5E0 mov eax, dword ptr fs:[00000030h] 9_2_051ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520BC2C mov eax, dword ptr fs:[00000030h] 9_2_0520BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A740D mov eax, dword ptr fs:[00000030h] 9_2_052A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A740D mov eax, dword ptr fs:[00000030h] 9_2_052A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A740D mov eax, dword ptr fs:[00000030h] 9_2_052A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291C06 mov eax, dword ptr fs:[00000030h] 9_2_05291C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256C0A mov eax, dword ptr fs:[00000030h] 9_2_05256C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256C0A mov eax, dword ptr fs:[00000030h] 9_2_05256C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256C0A mov eax, dword ptr fs:[00000030h] 9_2_05256C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256C0A mov eax, dword ptr fs:[00000030h] 9_2_05256C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520A44B mov eax, dword ptr fs:[00000030h] 9_2_0520A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F746D mov eax, dword ptr fs:[00000030h] 9_2_051F746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526C450 mov eax, dword ptr fs:[00000030h] 9_2_0526C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526C450 mov eax, dword ptr fs:[00000030h] 9_2_0526C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E849B mov eax, dword ptr fs:[00000030h] 9_2_051E849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052914FB mov eax, dword ptr fs:[00000030h] 9_2_052914FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256CF0 mov eax, dword ptr fs:[00000030h] 9_2_05256CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256CF0 mov eax, dword ptr fs:[00000030h] 9_2_05256CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05256CF0 mov eax, dword ptr fs:[00000030h] 9_2_05256CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A8CD6 mov eax, dword ptr fs:[00000030h] 9_2_052A8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FF716 mov eax, dword ptr fs:[00000030h] 9_2_051FF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520E730 mov eax, dword ptr fs:[00000030h] 9_2_0520E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A070D mov eax, dword ptr fs:[00000030h] 9_2_052A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A070D mov eax, dword ptr fs:[00000030h] 9_2_052A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520A70E mov eax, dword ptr fs:[00000030h] 9_2_0520A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520A70E mov eax, dword ptr fs:[00000030h] 9_2_0520A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D4F2E mov eax, dword ptr fs:[00000030h] 9_2_051D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D4F2E mov eax, dword ptr fs:[00000030h] 9_2_051D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526FF10 mov eax, dword ptr fs:[00000030h] 9_2_0526FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526FF10 mov eax, dword ptr fs:[00000030h] 9_2_0526FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A8F6A mov eax, dword ptr fs:[00000030h] 9_2_052A8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EEF40 mov eax, dword ptr fs:[00000030h] 9_2_051EEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EFF60 mov eax, dword ptr fs:[00000030h] 9_2_051EFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E8794 mov eax, dword ptr fs:[00000030h] 9_2_051E8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05257794 mov eax, dword ptr fs:[00000030h] 9_2_05257794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05257794 mov eax, dword ptr fs:[00000030h] 9_2_05257794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05257794 mov eax, dword ptr fs:[00000030h] 9_2_05257794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052137F5 mov eax, dword ptr fs:[00000030h] 9_2_052137F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0528FE3F mov eax, dword ptr fs:[00000030h] 9_2_0528FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DC600 mov eax, dword ptr fs:[00000030h] 9_2_051DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DC600 mov eax, dword ptr fs:[00000030h] 9_2_051DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DC600 mov eax, dword ptr fs:[00000030h] 9_2_051DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05208E00 mov eax, dword ptr fs:[00000030h] 9_2_05208E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05291608 mov eax, dword ptr fs:[00000030h] 9_2_05291608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520A61C mov eax, dword ptr fs:[00000030h] 9_2_0520A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520A61C mov eax, dword ptr fs:[00000030h] 9_2_0520A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DE620 mov eax, dword ptr fs:[00000030h] 9_2_051DE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E7E41 mov eax, dword ptr fs:[00000030h] 9_2_051E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E7E41 mov eax, dword ptr fs:[00000030h] 9_2_051E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E7E41 mov eax, dword ptr fs:[00000030h] 9_2_051E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E7E41 mov eax, dword ptr fs:[00000030h] 9_2_051E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E7E41 mov eax, dword ptr fs:[00000030h] 9_2_051E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E7E41 mov eax, dword ptr fs:[00000030h] 9_2_051E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FAE73 mov eax, dword ptr fs:[00000030h] 9_2_051FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FAE73 mov eax, dword ptr fs:[00000030h] 9_2_051FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FAE73 mov eax, dword ptr fs:[00000030h] 9_2_051FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FAE73 mov eax, dword ptr fs:[00000030h] 9_2_051FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FAE73 mov eax, dword ptr fs:[00000030h] 9_2_051FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529AE44 mov eax, dword ptr fs:[00000030h] 9_2_0529AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529AE44 mov eax, dword ptr fs:[00000030h] 9_2_0529AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E766D mov eax, dword ptr fs:[00000030h] 9_2_051E766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052546A7 mov eax, dword ptr fs:[00000030h] 9_2_052546A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A0EA5 mov eax, dword ptr fs:[00000030h] 9_2_052A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A0EA5 mov eax, dword ptr fs:[00000030h] 9_2_052A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A0EA5 mov eax, dword ptr fs:[00000030h] 9_2_052A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526FE87 mov eax, dword ptr fs:[00000030h] 9_2_0526FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052016E0 mov ecx, dword ptr fs:[00000030h] 9_2_052016E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05218EC7 mov eax, dword ptr fs:[00000030h] 9_2_05218EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0528FEC0 mov eax, dword ptr fs:[00000030h] 9_2_0528FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052036CC mov eax, dword ptr fs:[00000030h] 9_2_052036CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A8ED6 mov eax, dword ptr fs:[00000030h] 9_2_052A8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E76E2 mov eax, dword ptr fs:[00000030h] 9_2_051E76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520513A mov eax, dword ptr fs:[00000030h] 9_2_0520513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520513A mov eax, dword ptr fs:[00000030h] 9_2_0520513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9100 mov eax, dword ptr fs:[00000030h] 9_2_051D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9100 mov eax, dword ptr fs:[00000030h] 9_2_051D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9100 mov eax, dword ptr fs:[00000030h] 9_2_051D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F4120 mov eax, dword ptr fs:[00000030h] 9_2_051F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F4120 mov eax, dword ptr fs:[00000030h] 9_2_051F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F4120 mov eax, dword ptr fs:[00000030h] 9_2_051F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F4120 mov eax, dword ptr fs:[00000030h] 9_2_051F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F4120 mov ecx, dword ptr fs:[00000030h] 9_2_051F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FB944 mov eax, dword ptr fs:[00000030h] 9_2_051FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FB944 mov eax, dword ptr fs:[00000030h] 9_2_051FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DB171 mov eax, dword ptr fs:[00000030h] 9_2_051DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DB171 mov eax, dword ptr fs:[00000030h] 9_2_051DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DC962 mov eax, dword ptr fs:[00000030h] 9_2_051DC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052061A0 mov eax, dword ptr fs:[00000030h] 9_2_052061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052061A0 mov eax, dword ptr fs:[00000030h] 9_2_052061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052569A6 mov eax, dword ptr fs:[00000030h] 9_2_052569A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052949A4 mov eax, dword ptr fs:[00000030h] 9_2_052949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052949A4 mov eax, dword ptr fs:[00000030h] 9_2_052949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052949A4 mov eax, dword ptr fs:[00000030h] 9_2_052949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052949A4 mov eax, dword ptr fs:[00000030h] 9_2_052949A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052551BE mov eax, dword ptr fs:[00000030h] 9_2_052551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052551BE mov eax, dword ptr fs:[00000030h] 9_2_052551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052551BE mov eax, dword ptr fs:[00000030h] 9_2_052551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052551BE mov eax, dword ptr fs:[00000030h] 9_2_052551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FC182 mov eax, dword ptr fs:[00000030h] 9_2_051FC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520A185 mov eax, dword ptr fs:[00000030h] 9_2_0520A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202990 mov eax, dword ptr fs:[00000030h] 9_2_05202990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052641E8 mov eax, dword ptr fs:[00000030h] 9_2_052641E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DB1E1 mov eax, dword ptr fs:[00000030h] 9_2_051DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DB1E1 mov eax, dword ptr fs:[00000030h] 9_2_051DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DB1E1 mov eax, dword ptr fs:[00000030h] 9_2_051DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520002D mov eax, dword ptr fs:[00000030h] 9_2_0520002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520002D mov eax, dword ptr fs:[00000030h] 9_2_0520002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520002D mov eax, dword ptr fs:[00000030h] 9_2_0520002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520002D mov eax, dword ptr fs:[00000030h] 9_2_0520002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520002D mov eax, dword ptr fs:[00000030h] 9_2_0520002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA830 mov eax, dword ptr fs:[00000030h] 9_2_051FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA830 mov eax, dword ptr fs:[00000030h] 9_2_051FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA830 mov eax, dword ptr fs:[00000030h] 9_2_051FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA830 mov eax, dword ptr fs:[00000030h] 9_2_051FA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05257016 mov eax, dword ptr fs:[00000030h] 9_2_05257016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05257016 mov eax, dword ptr fs:[00000030h] 9_2_05257016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05257016 mov eax, dword ptr fs:[00000030h] 9_2_05257016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EB02A mov eax, dword ptr fs:[00000030h] 9_2_051EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EB02A mov eax, dword ptr fs:[00000030h] 9_2_051EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EB02A mov eax, dword ptr fs:[00000030h] 9_2_051EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EB02A mov eax, dword ptr fs:[00000030h] 9_2_051EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A4015 mov eax, dword ptr fs:[00000030h] 9_2_052A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A4015 mov eax, dword ptr fs:[00000030h] 9_2_052A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F0050 mov eax, dword ptr fs:[00000030h] 9_2_051F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F0050 mov eax, dword ptr fs:[00000030h] 9_2_051F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05292073 mov eax, dword ptr fs:[00000030h] 9_2_05292073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A1074 mov eax, dword ptr fs:[00000030h] 9_2_052A1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 mov eax, dword ptr fs:[00000030h] 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 mov eax, dword ptr fs:[00000030h] 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 mov eax, dword ptr fs:[00000030h] 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 mov eax, dword ptr fs:[00000030h] 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 mov eax, dword ptr fs:[00000030h] 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052020A0 mov eax, dword ptr fs:[00000030h] 9_2_052020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052190AF mov eax, dword ptr fs:[00000030h] 9_2_052190AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9080 mov eax, dword ptr fs:[00000030h] 9_2_051D9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520F0BF mov ecx, dword ptr fs:[00000030h] 9_2_0520F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520F0BF mov eax, dword ptr fs:[00000030h] 9_2_0520F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520F0BF mov eax, dword ptr fs:[00000030h] 9_2_0520F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05253884 mov eax, dword ptr fs:[00000030h] 9_2_05253884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05253884 mov eax, dword ptr fs:[00000030h] 9_2_05253884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D58EC mov eax, dword ptr fs:[00000030h] 9_2_051D58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0526B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526B8D0 mov ecx, dword ptr fs:[00000030h] 9_2_0526B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0526B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0526B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0526B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0526B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0526B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D40E1 mov eax, dword ptr fs:[00000030h] 9_2_051D40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D40E1 mov eax, dword ptr fs:[00000030h] 9_2_051D40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D40E1 mov eax, dword ptr fs:[00000030h] 9_2_051D40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529131B mov eax, dword ptr fs:[00000030h] 9_2_0529131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DF358 mov eax, dword ptr fs:[00000030h] 9_2_051DF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05203B7A mov eax, dword ptr fs:[00000030h] 9_2_05203B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05203B7A mov eax, dword ptr fs:[00000030h] 9_2_05203B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DDB40 mov eax, dword ptr fs:[00000030h] 9_2_051DDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A8B58 mov eax, dword ptr fs:[00000030h] 9_2_052A8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DDB60 mov ecx, dword ptr fs:[00000030h] 9_2_051DDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05204BAD mov eax, dword ptr fs:[00000030h] 9_2_05204BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05204BAD mov eax, dword ptr fs:[00000030h] 9_2_05204BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05204BAD mov eax, dword ptr fs:[00000030h] 9_2_05204BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A5BA5 mov eax, dword ptr fs:[00000030h] 9_2_052A5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E1B8F mov eax, dword ptr fs:[00000030h] 9_2_051E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E1B8F mov eax, dword ptr fs:[00000030h] 9_2_051E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529138A mov eax, dword ptr fs:[00000030h] 9_2_0529138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0528D380 mov ecx, dword ptr fs:[00000030h] 9_2_0528D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520B390 mov eax, dword ptr fs:[00000030h] 9_2_0520B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202397 mov eax, dword ptr fs:[00000030h] 9_2_05202397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052003E2 mov eax, dword ptr fs:[00000030h] 9_2_052003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052003E2 mov eax, dword ptr fs:[00000030h] 9_2_052003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052003E2 mov eax, dword ptr fs:[00000030h] 9_2_052003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052003E2 mov eax, dword ptr fs:[00000030h] 9_2_052003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052003E2 mov eax, dword ptr fs:[00000030h] 9_2_052003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052003E2 mov eax, dword ptr fs:[00000030h] 9_2_052003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052553CA mov eax, dword ptr fs:[00000030h] 9_2_052553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052553CA mov eax, dword ptr fs:[00000030h] 9_2_052553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FDBE9 mov eax, dword ptr fs:[00000030h] 9_2_051FDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051F3A1C mov eax, dword ptr fs:[00000030h] 9_2_051F3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DAA16 mov eax, dword ptr fs:[00000030h] 9_2_051DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051DAA16 mov eax, dword ptr fs:[00000030h] 9_2_051DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05214A2C mov eax, dword ptr fs:[00000030h] 9_2_05214A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05214A2C mov eax, dword ptr fs:[00000030h] 9_2_05214A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D5210 mov eax, dword ptr fs:[00000030h] 9_2_051D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D5210 mov ecx, dword ptr fs:[00000030h] 9_2_051D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D5210 mov eax, dword ptr fs:[00000030h] 9_2_051D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D5210 mov eax, dword ptr fs:[00000030h] 9_2_051D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051E8A0A mov eax, dword ptr fs:[00000030h] 9_2_051E8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051FA229 mov eax, dword ptr fs:[00000030h] 9_2_051FA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529AA16 mov eax, dword ptr fs:[00000030h] 9_2_0529AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529AA16 mov eax, dword ptr fs:[00000030h] 9_2_0529AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0528B260 mov eax, dword ptr fs:[00000030h] 9_2_0528B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0528B260 mov eax, dword ptr fs:[00000030h] 9_2_0528B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_052A8A62 mov eax, dword ptr fs:[00000030h] 9_2_052A8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0521927A mov eax, dword ptr fs:[00000030h] 9_2_0521927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9240 mov eax, dword ptr fs:[00000030h] 9_2_051D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9240 mov eax, dword ptr fs:[00000030h] 9_2_051D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9240 mov eax, dword ptr fs:[00000030h] 9_2_051D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D9240 mov eax, dword ptr fs:[00000030h] 9_2_051D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05264257 mov eax, dword ptr fs:[00000030h] 9_2_05264257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0529EA55 mov eax, dword ptr fs:[00000030h] 9_2_0529EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520FAB0 mov eax, dword ptr fs:[00000030h] 9_2_0520FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EAAB0 mov eax, dword ptr fs:[00000030h] 9_2_051EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051EAAB0 mov eax, dword ptr fs:[00000030h] 9_2_051EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520D294 mov eax, dword ptr fs:[00000030h] 9_2_0520D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_0520D294 mov eax, dword ptr fs:[00000030h] 9_2_0520D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D52A5 mov eax, dword ptr fs:[00000030h] 9_2_051D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D52A5 mov eax, dword ptr fs:[00000030h] 9_2_051D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D52A5 mov eax, dword ptr fs:[00000030h] 9_2_051D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D52A5 mov eax, dword ptr fs:[00000030h] 9_2_051D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_051D52A5 mov eax, dword ptr fs:[00000030h] 9_2_051D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202AE4 mov eax, dword ptr fs:[00000030h] 9_2_05202AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05202ACB mov eax, dword ptr fs:[00000030h] 9_2_05202ACB
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 9_2_05219540 NtReadFile,LdrInitializeThunk, 9_2_05219540
Source: C:\Users\user\Desktop\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: DE0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7E4008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread register set: target process: 3808 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 3808 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svyewSjGVGtgt.exe Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\svyewSjGVGtgt" /XML "C:\Users\user\AppData\Local\Temp\tmp8F67.tmp Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: explorer.exe, 0000000D.00000000.436820402.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.482212994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.582310845.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerG
Source: explorer.exe, 0000000D.00000000.436820402.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.518253948.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.482212994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.436820402.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.482212994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.582310845.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.436820402.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.482212994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.582310845.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000D.00000000.581054248.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.512346185.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.480898254.0000000000628000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanPV*
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0.2.vbc.exe.3b73cf8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.623504800.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.426521887.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.625773894.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.626309765.0000000003440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.501771022.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.535893743.000000000B529000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.437207129.0000000003B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680430 Sample: vbc.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 35 www.reisdafavela.com 2->35 37 www.mpageorientalrugs.com 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 6 other signatures 2->45 9 vbc.exe 7 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\svyewSjGVGtgt.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\Local\...\tmp8F67.tmp, XML 9->31 dropped 33 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 9->33 dropped 47 Uses schtasks.exe or at.exe to add and modify task schedules 9->47 49 Writes to foreign memory regions 9->49 51 Adds a directory exclusion to Windows Defender 9->51 53 Injects a PE file into a foreign processes 9->53 13 vbc.exe 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 20 explorer.exe 3 13->20 injected 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        process9 process10 26 WWAHost.exe 20->26         started        signatures11 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57
No contacted IP infos

Contacted Domains

Name IP Active
www.reisdafavela.com 198.50.252.64 true
www.mpageorientalrugs.com 199.59.243.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.danetsystem.com/x8ut/ true
  • Avira URL Cloud: safe
 low