Windows Analysis Report
6109238.exe

Overview

General Information

Sample Name: 6109238.exe
Analysis ID: 680485
MD5: 2aeb09e3b19012d3d2add45559422416
SHA1: 0364e572469a4bfb486c982348c7fa62ccb7e818
SHA256: 917e03484856f0980f2150822a231e0f73e3cef3f074ea1644dcbd1082590399
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 6109238.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.ruichuo888.com/g2i8/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\eHkVrJJ.exe ReversingLabs: Detection: 29%
Machine Learning detection for sample
Source: 6109238.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\eHkVrJJ.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.6109238.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ruichuo888.com/g2i8/"], "decoy": ["ziezi.top", "vngik.com", "alternativaporbenidorm.com", "papinahooy.com", "aldemyangin.com", "943757.com", "ayty8.com", "rindedwladku.xyz", "highwoodcorp.com", "tyarx.com", "pikkunoita.online", "airtaxifl.com", "bjbjbfc.com", "busan.xyz", "ieeeturkeyblog.com", "valtuo.store", "xinyenet.net", "ditral.com", "protocolozero.info", "newbrunswickcreditunions.com", "elainebaby.xyz", "koidesignstudio.com", "99vin.group", "archipel-aventure.com", "khademi.group", "takaboar.com", "rzxx123.net", "games-wedding.com", "spinhaus.com", "51sic.com", "3dtouch.asia", "tracking173.xyz", "febmaklstudio.xyz", "cookingshots.com", "royaltristate.com", "amangift.store", "vehicleaccessories.store", "kannadasuddi.com", "the4weekway.international", "asd1118.xyz", "cursosparapotenciarte.store", "faithsquint.sbs", "otom.blue", "mamaandpapafoodtruck.com", "287by.com", "memoryuniverse.com", "televizeme.tech", "zpw168.com", "kayseriozelders.xyz", "solytics.xyz", "3kidsandahouse.com", "020dd.com", "shawlco.com", "wekiok05.top", "zalandashop.com", "tenergia.info", "nedreptate.net", "dentalimplantnearme-sg.space", "vpussy.com", "katzenglueck.net", "leftygolf.online", "simplehealthquotes.today", "estuidioma.online", "aviaboofit.site"]}
Uses 32bit PE files
Source: 6109238.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6109238.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: 6109238.exe, 00000005.00000003.427753698.0000000001558000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000002.534207193.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000003.424452621.00000000013C0000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.642772599.0000000003480000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.536061575.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.643970249.000000000359F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.533670092.0000000000FFA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 6109238.exe, 6109238.exe, 00000005.00000003.427753698.0000000001558000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000002.534207193.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000003.424452621.00000000013C0000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.642772599.0000000003480000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.536061575.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.643970249.000000000359F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.533670092.0000000000FFA000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.ruichuo888.com/g2i8/
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: 6109238.exe, 00000000.00000002.433596561.0000000003225000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 6109238.exe, 00000000.00000002.446511442.0000000007452000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 6109238.exe PID: 1980, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 6109238.exe PID: 5392, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: help.exe PID: 2056, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: 6109238.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 6109238.exe PID: 1980, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 6109238.exe PID: 5392, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: help.exe PID: 2056, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\6109238.exe Code function: 0_2_0186D1CC 0_2_0186D1CC
Source: C:\Users\user\Desktop\6109238.exe Code function: 0_2_0186F160 0_2_0186F160
Source: C:\Users\user\Desktop\6109238.exe Code function: 0_2_0186F170 0_2_0186F170
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01734120 5_2_01734120
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171F900 5_2_0171F900
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1002 5_2_017D1002
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E28EC 5_2_017E28EC
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E20A8 5_2_017E20A8
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172B090 5_2_0172B090
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E2B28 5_2_017E2B28
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DDBD2 5_2_017DDBD2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174EBB0 5_2_0174EBB0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E22AE 5_2_017E22AE
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E1D55 5_2_017E1D55
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01710D20 5_2_01710D20
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E2D07 5_2_017E2D07
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172D5E0 5_2_0172D5E0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E25DD 5_2_017E25DD
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742581 5_2_01742581
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DD466 5_2_017DD466
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172841F 5_2_0172841F
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E1FF1 5_2_017E1FF1
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01736E30 5_2_01736E30
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DD616 5_2_017DD616
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E2EF7 5_2_017E2EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\6109238.exe Code function: String function: 0171B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01759910
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017599A0 NtCreateSection,LdrInitializeThunk, 5_2_017599A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_01759860
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759840 NtDelayExecution,LdrInitializeThunk, 5_2_01759840
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017598F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_017598F0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759A50 NtCreateFile,LdrInitializeThunk, 5_2_01759A50
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759A20 NtResumeThread,LdrInitializeThunk, 5_2_01759A20
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_01759A00
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759540 NtReadFile,LdrInitializeThunk, 5_2_01759540
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017595D0 NtClose,LdrInitializeThunk, 5_2_017595D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759710 NtQueryInformationToken,LdrInitializeThunk, 5_2_01759710
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017597A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_017597A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759780 NtMapViewOfSection,LdrInitializeThunk, 5_2_01759780
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_01759660
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017596E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_017596E0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759950 NtQueueApcThread, 5_2_01759950
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017599D0 NtCreateProcessEx, 5_2_017599D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0175B040 NtSuspendThread, 5_2_0175B040
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759820 NtEnumerateKey, 5_2_01759820
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017598A0 NtWriteVirtualMemory, 5_2_017598A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759B00 NtSetValueKey, 5_2_01759B00
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0175A3B0 NtGetContextThread, 5_2_0175A3B0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759A10 NtQuerySection, 5_2_01759A10
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759A80 NtOpenDirectoryObject, 5_2_01759A80
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759560 NtWriteFile, 5_2_01759560
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0175AD30 NtSetContextThread, 5_2_0175AD30
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759520 NtWaitForSingleObject, 5_2_01759520
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017595F0 NtQueryInformationFile, 5_2_017595F0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0175A770 NtOpenThread, 5_2_0175A770
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759770 NtSetInformationFile, 5_2_01759770
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759760 NtOpenProcess, 5_2_01759760
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759730 NtQueryVirtualMemory, 5_2_01759730
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0175A710 NtOpenProcessToken, 5_2_0175A710
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759FE0 NtCreateMutant, 5_2_01759FE0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759670 NtQueryInformationProcess, 5_2_01759670
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759650 NtQueryValueKey, 5_2_01759650
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759610 NtEnumerateValueKey, 5_2_01759610
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017596D0 NtCreateKey, 5_2_017596D0
Sample file is different than original file name gathered from version info
Source: 6109238.exe, 00000000.00000002.448879453.0000000007930000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs 6109238.exe
Source: 6109238.exe, 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs 6109238.exe
Source: 6109238.exe, 00000000.00000000.367739549.0000000000EB8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBinaryAr.exeB vs 6109238.exe
Source: 6109238.exe, 00000000.00000002.449934520.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs 6109238.exe
Source: 6109238.exe, 00000000.00000002.449404490.0000000007A60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs 6109238.exe
Source: 6109238.exe, 00000005.00000003.430684639.0000000001677000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 6109238.exe
Source: 6109238.exe, 00000005.00000003.426052343.00000000014D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 6109238.exe
Source: 6109238.exe, 00000005.00000002.535959139.000000000180F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 6109238.exe
Source: 6109238.exe Binary or memory string: OriginalFilenameBinaryAr.exeB vs 6109238.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\6109238.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: 6109238.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eHkVrJJ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6109238.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\6109238.exe File read: C:\Users\user\Desktop\6109238.exe Jump to behavior
Source: 6109238.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6109238.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\6109238.exe "C:\Users\user\Desktop\6109238.exe"
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eHkVrJJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHkVrJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp1585.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Users\user\Desktop\6109238.exe C:\Users\user\Desktop\6109238.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\6109238.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eHkVrJJ.exe Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHkVrJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp1585.tmp Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Users\user\Desktop\6109238.exe C:\Users\user\Desktop\6109238.exe Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\6109238.exe" Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe File created: C:\Users\user\AppData\Roaming\eHkVrJJ.exe Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe File created: C:\Users\user\AppData\Local\Temp\tmp1585.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/8@0/0
Source: C:\Users\user\Desktop\6109238.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 6109238.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\6109238.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_01
Source: C:\Users\user\Desktop\6109238.exe Mutant created: \Sessions\1\BaseNamedObjects\AjTPgfGGWTEvNoTEhQPc
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\6109238.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 6109238.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 6109238.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: 6109238.exe, 00000005.00000003.427753698.0000000001558000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000002.534207193.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000003.424452621.00000000013C0000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.642772599.0000000003480000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.536061575.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.643970249.000000000359F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.533670092.0000000000FFA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 6109238.exe, 6109238.exe, 00000005.00000003.427753698.0000000001558000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000002.534207193.00000000016F0000.00000040.00000800.00020000.00000000.sdmp, 6109238.exe, 00000005.00000003.424452621.00000000013C0000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.642772599.0000000003480000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.536061575.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000002.643970249.000000000359F000.00000040.00000800.00020000.00000000.sdmp, help.exe, 0000000A.00000003.533670092.0000000000FFA000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0176D0D1 push ecx; ret 5_2_0176D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.729019884750608
Source: initial sample Static PE information: section name: .text entropy: 7.729019884750608
Drops PE files
Source: C:\Users\user\Desktop\6109238.exe File created: C:\Users\user\AppData\Roaming\eHkVrJJ.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHkVrJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp1585.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE8
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.433596561.0000000003225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6109238.exe PID: 1980, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 6109238.exe, 00000000.00000002.433596561.0000000003225000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: 6109238.exe, 00000000.00000002.433596561.0000000003225000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\6109238.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\6109238.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000000C79904 second address: 0000000000C7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000000C79B6E second address: 0000000000C79B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\6109238.exe TID: 924 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe TID: 4008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2332 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E5BA5 rdtsc 5_2_017E5BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\6109238.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9329 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\6109238.exe API coverage: 5.2 %
Source: C:\Users\user\Desktop\6109238.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000009.00000000.494644616.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000009.00000000.494644616.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000009.00000000.462973257.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: 6109238.exe, 00000000.00000002.449934520.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: t4VMCiahkW98QFvBt5K
Source: explorer.exe, 00000009.00000000.462973257.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000009.00000000.462973257.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: 6109238.exe, 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, 6109238.exe, 00000000.00000002.449934520.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: cfZLZJWV1qemuSyMDkE
Source: explorer.exe, 00000009.00000000.488066558.00000000042EE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000009.00000000.507782837.00000000042A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Source: 6109238.exe, 00000000.00000002.439859566.000000000345A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E5BA5 rdtsc 5_2_017E5BA5
Enables debug privileges
Source: C:\Users\user\Desktop\6109238.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171B171 mov eax, dword ptr fs:[00000030h] 5_2_0171B171
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171B171 mov eax, dword ptr fs:[00000030h] 5_2_0171B171
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171C962 mov eax, dword ptr fs:[00000030h] 5_2_0171C962
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173B944 mov eax, dword ptr fs:[00000030h] 5_2_0173B944
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173B944 mov eax, dword ptr fs:[00000030h] 5_2_0173B944
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174513A mov eax, dword ptr fs:[00000030h] 5_2_0174513A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174513A mov eax, dword ptr fs:[00000030h] 5_2_0174513A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01734120 mov eax, dword ptr fs:[00000030h] 5_2_01734120
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01734120 mov eax, dword ptr fs:[00000030h] 5_2_01734120
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01734120 mov eax, dword ptr fs:[00000030h] 5_2_01734120
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01734120 mov eax, dword ptr fs:[00000030h] 5_2_01734120
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01734120 mov ecx, dword ptr fs:[00000030h] 5_2_01734120
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719100 mov eax, dword ptr fs:[00000030h] 5_2_01719100
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719100 mov eax, dword ptr fs:[00000030h] 5_2_01719100
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719100 mov eax, dword ptr fs:[00000030h] 5_2_01719100
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0171B1E1
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0171B1E1
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0171B1E1
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017A41E8 mov eax, dword ptr fs:[00000030h] 5_2_017A41E8
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017951BE mov eax, dword ptr fs:[00000030h] 5_2_017951BE
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017951BE mov eax, dword ptr fs:[00000030h] 5_2_017951BE
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017951BE mov eax, dword ptr fs:[00000030h] 5_2_017951BE
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017951BE mov eax, dword ptr fs:[00000030h] 5_2_017951BE
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017461A0 mov eax, dword ptr fs:[00000030h] 5_2_017461A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017461A0 mov eax, dword ptr fs:[00000030h] 5_2_017461A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017969A6 mov eax, dword ptr fs:[00000030h] 5_2_017969A6
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742990 mov eax, dword ptr fs:[00000030h] 5_2_01742990
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173C182 mov eax, dword ptr fs:[00000030h] 5_2_0173C182
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174A185 mov eax, dword ptr fs:[00000030h] 5_2_0174A185
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E1074 mov eax, dword ptr fs:[00000030h] 5_2_017E1074
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D2073 mov eax, dword ptr fs:[00000030h] 5_2_017D2073
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01730050 mov eax, dword ptr fs:[00000030h] 5_2_01730050
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01730050 mov eax, dword ptr fs:[00000030h] 5_2_01730050
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172B02A mov eax, dword ptr fs:[00000030h] 5_2_0172B02A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172B02A mov eax, dword ptr fs:[00000030h] 5_2_0172B02A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172B02A mov eax, dword ptr fs:[00000030h] 5_2_0172B02A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172B02A mov eax, dword ptr fs:[00000030h] 5_2_0172B02A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174002D mov eax, dword ptr fs:[00000030h] 5_2_0174002D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174002D mov eax, dword ptr fs:[00000030h] 5_2_0174002D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174002D mov eax, dword ptr fs:[00000030h] 5_2_0174002D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174002D mov eax, dword ptr fs:[00000030h] 5_2_0174002D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174002D mov eax, dword ptr fs:[00000030h] 5_2_0174002D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E4015 mov eax, dword ptr fs:[00000030h] 5_2_017E4015
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E4015 mov eax, dword ptr fs:[00000030h] 5_2_017E4015
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01797016 mov eax, dword ptr fs:[00000030h] 5_2_01797016
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01797016 mov eax, dword ptr fs:[00000030h] 5_2_01797016
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01797016 mov eax, dword ptr fs:[00000030h] 5_2_01797016
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017158EC mov eax, dword ptr fs:[00000030h] 5_2_017158EC
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 5_2_017AB8D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AB8D0 mov ecx, dword ptr fs:[00000030h] 5_2_017AB8D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 5_2_017AB8D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 5_2_017AB8D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 5_2_017AB8D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AB8D0 mov eax, dword ptr fs:[00000030h] 5_2_017AB8D0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174F0BF mov ecx, dword ptr fs:[00000030h] 5_2_0174F0BF
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174F0BF mov eax, dword ptr fs:[00000030h] 5_2_0174F0BF
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174F0BF mov eax, dword ptr fs:[00000030h] 5_2_0174F0BF
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 mov eax, dword ptr fs:[00000030h] 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 mov eax, dword ptr fs:[00000030h] 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 mov eax, dword ptr fs:[00000030h] 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 mov eax, dword ptr fs:[00000030h] 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 mov eax, dword ptr fs:[00000030h] 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017420A0 mov eax, dword ptr fs:[00000030h] 5_2_017420A0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017590AF mov eax, dword ptr fs:[00000030h] 5_2_017590AF
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719080 mov eax, dword ptr fs:[00000030h] 5_2_01719080
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01793884 mov eax, dword ptr fs:[00000030h] 5_2_01793884
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01793884 mov eax, dword ptr fs:[00000030h] 5_2_01793884
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01743B7A mov eax, dword ptr fs:[00000030h] 5_2_01743B7A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01743B7A mov eax, dword ptr fs:[00000030h] 5_2_01743B7A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171DB60 mov ecx, dword ptr fs:[00000030h] 5_2_0171DB60
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E8B58 mov eax, dword ptr fs:[00000030h] 5_2_017E8B58
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171F358 mov eax, dword ptr fs:[00000030h] 5_2_0171F358
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171DB40 mov eax, dword ptr fs:[00000030h] 5_2_0171DB40
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D131B mov eax, dword ptr fs:[00000030h] 5_2_017D131B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017403E2 mov eax, dword ptr fs:[00000030h] 5_2_017403E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017403E2 mov eax, dword ptr fs:[00000030h] 5_2_017403E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017403E2 mov eax, dword ptr fs:[00000030h] 5_2_017403E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017403E2 mov eax, dword ptr fs:[00000030h] 5_2_017403E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017403E2 mov eax, dword ptr fs:[00000030h] 5_2_017403E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017403E2 mov eax, dword ptr fs:[00000030h] 5_2_017403E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173DBE9 mov eax, dword ptr fs:[00000030h] 5_2_0173DBE9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017953CA mov eax, dword ptr fs:[00000030h] 5_2_017953CA
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017953CA mov eax, dword ptr fs:[00000030h] 5_2_017953CA
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01744BAD mov eax, dword ptr fs:[00000030h] 5_2_01744BAD
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01744BAD mov eax, dword ptr fs:[00000030h] 5_2_01744BAD
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01744BAD mov eax, dword ptr fs:[00000030h] 5_2_01744BAD
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E5BA5 mov eax, dword ptr fs:[00000030h] 5_2_017E5BA5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742397 mov eax, dword ptr fs:[00000030h] 5_2_01742397
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174B390 mov eax, dword ptr fs:[00000030h] 5_2_0174B390
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D138A mov eax, dword ptr fs:[00000030h] 5_2_017D138A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017CD380 mov ecx, dword ptr fs:[00000030h] 5_2_017CD380
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01721B8F mov eax, dword ptr fs:[00000030h] 5_2_01721B8F
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01721B8F mov eax, dword ptr fs:[00000030h] 5_2_01721B8F
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0175927A mov eax, dword ptr fs:[00000030h] 5_2_0175927A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017CB260 mov eax, dword ptr fs:[00000030h] 5_2_017CB260
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017CB260 mov eax, dword ptr fs:[00000030h] 5_2_017CB260
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E8A62 mov eax, dword ptr fs:[00000030h] 5_2_017E8A62
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DEA55 mov eax, dword ptr fs:[00000030h] 5_2_017DEA55
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017A4257 mov eax, dword ptr fs:[00000030h] 5_2_017A4257
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719240 mov eax, dword ptr fs:[00000030h] 5_2_01719240
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719240 mov eax, dword ptr fs:[00000030h] 5_2_01719240
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719240 mov eax, dword ptr fs:[00000030h] 5_2_01719240
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01719240 mov eax, dword ptr fs:[00000030h] 5_2_01719240
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01754A2C mov eax, dword ptr fs:[00000030h] 5_2_01754A2C
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01754A2C mov eax, dword ptr fs:[00000030h] 5_2_01754A2C
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01715210 mov eax, dword ptr fs:[00000030h] 5_2_01715210
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01715210 mov ecx, dword ptr fs:[00000030h] 5_2_01715210
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01715210 mov eax, dword ptr fs:[00000030h] 5_2_01715210
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01715210 mov eax, dword ptr fs:[00000030h] 5_2_01715210
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171AA16 mov eax, dword ptr fs:[00000030h] 5_2_0171AA16
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171AA16 mov eax, dword ptr fs:[00000030h] 5_2_0171AA16
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01733A1C mov eax, dword ptr fs:[00000030h] 5_2_01733A1C
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01728A0A mov eax, dword ptr fs:[00000030h] 5_2_01728A0A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742AE4 mov eax, dword ptr fs:[00000030h] 5_2_01742AE4
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742ACB mov eax, dword ptr fs:[00000030h] 5_2_01742ACB
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0172AAB0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0172AAB0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174FAB0 mov eax, dword ptr fs:[00000030h] 5_2_0174FAB0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017152A5 mov eax, dword ptr fs:[00000030h] 5_2_017152A5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017152A5 mov eax, dword ptr fs:[00000030h] 5_2_017152A5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017152A5 mov eax, dword ptr fs:[00000030h] 5_2_017152A5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017152A5 mov eax, dword ptr fs:[00000030h] 5_2_017152A5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017152A5 mov eax, dword ptr fs:[00000030h] 5_2_017152A5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174D294 mov eax, dword ptr fs:[00000030h] 5_2_0174D294
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174D294 mov eax, dword ptr fs:[00000030h] 5_2_0174D294
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173C577 mov eax, dword ptr fs:[00000030h] 5_2_0173C577
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173C577 mov eax, dword ptr fs:[00000030h] 5_2_0173C577
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01737D50 mov eax, dword ptr fs:[00000030h] 5_2_01737D50
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01753D43 mov eax, dword ptr fs:[00000030h] 5_2_01753D43
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01793540 mov eax, dword ptr fs:[00000030h] 5_2_01793540
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171AD30 mov eax, dword ptr fs:[00000030h] 5_2_0171AD30
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DE539 mov eax, dword ptr fs:[00000030h] 5_2_017DE539
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01723D34 mov eax, dword ptr fs:[00000030h] 5_2_01723D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E8D34 mov eax, dword ptr fs:[00000030h] 5_2_017E8D34
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0179A537 mov eax, dword ptr fs:[00000030h] 5_2_0179A537
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01744D3B mov eax, dword ptr fs:[00000030h] 5_2_01744D3B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01744D3B mov eax, dword ptr fs:[00000030h] 5_2_01744D3B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01744D3B mov eax, dword ptr fs:[00000030h] 5_2_01744D3B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017C8DF1 mov eax, dword ptr fs:[00000030h] 5_2_017C8DF1
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0172D5E0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0172D5E0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 5_2_017DFDE2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 5_2_017DFDE2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 5_2_017DFDE2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DFDE2 mov eax, dword ptr fs:[00000030h] 5_2_017DFDE2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796DC9 mov eax, dword ptr fs:[00000030h] 5_2_01796DC9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796DC9 mov eax, dword ptr fs:[00000030h] 5_2_01796DC9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796DC9 mov eax, dword ptr fs:[00000030h] 5_2_01796DC9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796DC9 mov ecx, dword ptr fs:[00000030h] 5_2_01796DC9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796DC9 mov eax, dword ptr fs:[00000030h] 5_2_01796DC9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796DC9 mov eax, dword ptr fs:[00000030h] 5_2_01796DC9
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01741DB5 mov eax, dword ptr fs:[00000030h] 5_2_01741DB5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01741DB5 mov eax, dword ptr fs:[00000030h] 5_2_01741DB5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01741DB5 mov eax, dword ptr fs:[00000030h] 5_2_01741DB5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E05AC mov eax, dword ptr fs:[00000030h] 5_2_017E05AC
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E05AC mov eax, dword ptr fs:[00000030h] 5_2_017E05AC
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017435A1 mov eax, dword ptr fs:[00000030h] 5_2_017435A1
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174FD9B mov eax, dword ptr fs:[00000030h] 5_2_0174FD9B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174FD9B mov eax, dword ptr fs:[00000030h] 5_2_0174FD9B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742581 mov eax, dword ptr fs:[00000030h] 5_2_01742581
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742581 mov eax, dword ptr fs:[00000030h] 5_2_01742581
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742581 mov eax, dword ptr fs:[00000030h] 5_2_01742581
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01742581 mov eax, dword ptr fs:[00000030h] 5_2_01742581
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01712D8A mov eax, dword ptr fs:[00000030h] 5_2_01712D8A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01712D8A mov eax, dword ptr fs:[00000030h] 5_2_01712D8A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01712D8A mov eax, dword ptr fs:[00000030h] 5_2_01712D8A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01712D8A mov eax, dword ptr fs:[00000030h] 5_2_01712D8A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01712D8A mov eax, dword ptr fs:[00000030h] 5_2_01712D8A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173746D mov eax, dword ptr fs:[00000030h] 5_2_0173746D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AC450 mov eax, dword ptr fs:[00000030h] 5_2_017AC450
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AC450 mov eax, dword ptr fs:[00000030h] 5_2_017AC450
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174A44B mov eax, dword ptr fs:[00000030h] 5_2_0174A44B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174BC2C mov eax, dword ptr fs:[00000030h] 5_2_0174BC2C
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E740D mov eax, dword ptr fs:[00000030h] 5_2_017E740D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E740D mov eax, dword ptr fs:[00000030h] 5_2_017E740D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E740D mov eax, dword ptr fs:[00000030h] 5_2_017E740D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796C0A mov eax, dword ptr fs:[00000030h] 5_2_01796C0A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796C0A mov eax, dword ptr fs:[00000030h] 5_2_01796C0A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796C0A mov eax, dword ptr fs:[00000030h] 5_2_01796C0A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796C0A mov eax, dword ptr fs:[00000030h] 5_2_01796C0A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1C06 mov eax, dword ptr fs:[00000030h] 5_2_017D1C06
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D14FB mov eax, dword ptr fs:[00000030h] 5_2_017D14FB
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796CF0 mov eax, dword ptr fs:[00000030h] 5_2_01796CF0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796CF0 mov eax, dword ptr fs:[00000030h] 5_2_01796CF0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01796CF0 mov eax, dword ptr fs:[00000030h] 5_2_01796CF0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E8CD6 mov eax, dword ptr fs:[00000030h] 5_2_017E8CD6
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172849B mov eax, dword ptr fs:[00000030h] 5_2_0172849B
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172FF60 mov eax, dword ptr fs:[00000030h] 5_2_0172FF60
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E8F6A mov eax, dword ptr fs:[00000030h] 5_2_017E8F6A
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172EF40 mov eax, dword ptr fs:[00000030h] 5_2_0172EF40
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174E730 mov eax, dword ptr fs:[00000030h] 5_2_0174E730
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01714F2E mov eax, dword ptr fs:[00000030h] 5_2_01714F2E
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01714F2E mov eax, dword ptr fs:[00000030h] 5_2_01714F2E
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173F716 mov eax, dword ptr fs:[00000030h] 5_2_0173F716
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AFF10 mov eax, dword ptr fs:[00000030h] 5_2_017AFF10
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AFF10 mov eax, dword ptr fs:[00000030h] 5_2_017AFF10
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E070D mov eax, dword ptr fs:[00000030h] 5_2_017E070D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E070D mov eax, dword ptr fs:[00000030h] 5_2_017E070D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174A70E mov eax, dword ptr fs:[00000030h] 5_2_0174A70E
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174A70E mov eax, dword ptr fs:[00000030h] 5_2_0174A70E
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017537F5 mov eax, dword ptr fs:[00000030h] 5_2_017537F5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01728794 mov eax, dword ptr fs:[00000030h] 5_2_01728794
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01797794 mov eax, dword ptr fs:[00000030h] 5_2_01797794
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01797794 mov eax, dword ptr fs:[00000030h] 5_2_01797794
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01797794 mov eax, dword ptr fs:[00000030h] 5_2_01797794
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173AE73 mov eax, dword ptr fs:[00000030h] 5_2_0173AE73
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173AE73 mov eax, dword ptr fs:[00000030h] 5_2_0173AE73
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173AE73 mov eax, dword ptr fs:[00000030h] 5_2_0173AE73
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173AE73 mov eax, dword ptr fs:[00000030h] 5_2_0173AE73
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0173AE73 mov eax, dword ptr fs:[00000030h] 5_2_0173AE73
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0172766D mov eax, dword ptr fs:[00000030h] 5_2_0172766D
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01727E41 mov eax, dword ptr fs:[00000030h] 5_2_01727E41
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01727E41 mov eax, dword ptr fs:[00000030h] 5_2_01727E41
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01727E41 mov eax, dword ptr fs:[00000030h] 5_2_01727E41
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01727E41 mov eax, dword ptr fs:[00000030h] 5_2_01727E41
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01727E41 mov eax, dword ptr fs:[00000030h] 5_2_01727E41
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01727E41 mov eax, dword ptr fs:[00000030h] 5_2_01727E41
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DAE44 mov eax, dword ptr fs:[00000030h] 5_2_017DAE44
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017DAE44 mov eax, dword ptr fs:[00000030h] 5_2_017DAE44
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017CFE3F mov eax, dword ptr fs:[00000030h] 5_2_017CFE3F
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171E620 mov eax, dword ptr fs:[00000030h] 5_2_0171E620
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174A61C mov eax, dword ptr fs:[00000030h] 5_2_0174A61C
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0174A61C mov eax, dword ptr fs:[00000030h] 5_2_0174A61C
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171C600 mov eax, dword ptr fs:[00000030h] 5_2_0171C600
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171C600 mov eax, dword ptr fs:[00000030h] 5_2_0171C600
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_0171C600 mov eax, dword ptr fs:[00000030h] 5_2_0171C600
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01748E00 mov eax, dword ptr fs:[00000030h] 5_2_01748E00
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017D1608 mov eax, dword ptr fs:[00000030h] 5_2_017D1608
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017276E2 mov eax, dword ptr fs:[00000030h] 5_2_017276E2
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017416E0 mov ecx, dword ptr fs:[00000030h] 5_2_017416E0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E8ED6 mov eax, dword ptr fs:[00000030h] 5_2_017E8ED6
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01758EC7 mov eax, dword ptr fs:[00000030h] 5_2_01758EC7
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017436CC mov eax, dword ptr fs:[00000030h] 5_2_017436CC
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017CFEC0 mov eax, dword ptr fs:[00000030h] 5_2_017CFEC0
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E0EA5 mov eax, dword ptr fs:[00000030h] 5_2_017E0EA5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E0EA5 mov eax, dword ptr fs:[00000030h] 5_2_017E0EA5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017E0EA5 mov eax, dword ptr fs:[00000030h] 5_2_017E0EA5
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017946A7 mov eax, dword ptr fs:[00000030h] 5_2_017946A7
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_017AFE87 mov eax, dword ptr fs:[00000030h] 5_2_017AFE87
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\6109238.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\6109238.exe Code function: 5_2_01759910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01759910
Source: C:\Users\user\Desktop\6109238.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\6109238.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 12D0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\6109238.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\6109238.exe Memory written: C:\Users\user\Desktop\6109238.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\6109238.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\6109238.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3688 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eHkVrJJ.exe
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eHkVrJJ.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eHkVrJJ.exe Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eHkVrJJ" /XML "C:\Users\user\AppData\Local\Temp\tmp1585.tmp Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Process created: C:\Users\user\Desktop\6109238.exe C:\Users\user\Desktop\6109238.exe Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\6109238.exe" Jump to behavior
Source: explorer.exe, 00000009.00000000.505710262.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.441486575.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.588089772.000000000081C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.505710262.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.441486575.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.439978724.0000000000778000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.505710262.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.441486575.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.589451145.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.505710262.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.441486575.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.589451145.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Users\user\Desktop\6109238.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6109238.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.6109238.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6109238.exe.43053d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.640356208.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.423502729.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.498783665.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.519597064.000000000D7E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.442527217.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.640116150.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.639269207.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680485 Sample: 6109238.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 8 other signatures 2->48 10 6109238.exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\Roaming\eHkVrJJ.exe, PE32 10->34 dropped 36 C:\Users\user\...\eHkVrJJ.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp1585.tmp, XML 10->38 dropped 40 C:\Users\user\AppData\...\6109238.exe.log, ASCII 10->40 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 10->50 52 Adds a directory exclusion to Windows Defender 10->52 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 6109238.exe 10->14         started        17 powershell.exe 23 10->17         started        19 schtasks.exe 1 10->19         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        process8 process9 27 help.exe 21->27         started        signatures10 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        process11 process12 32 conhost.exe 30->32         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.ruichuo888.com/g2i8/ true
  • Avira URL Cloud: malware
 low