Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
BouncingForm.exe

Overview

General Information

Sample name:BouncingForm.exe
Analysis ID:1671546
MD5:f4e3dd5c1c2ce682a0513acefd3ab6a6
SHA1:0000020d63fef00ebee299b5d8840c02dd00ae7a
SHA256:ba1f7e27f288f06f787b1677013e6ddb65c0bf13e6d8997085948850a6ab9725
Tags:badjokeexeuser-FelloBoiYuuka
Infos:

Detection

Score:4
Range:0 - 100
Confidence:80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • BouncingForm.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\BouncingForm.exe" MD5: F4E3DD5C1C2CE682A0513ACEFD3AB6A6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: BouncingForm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Sky The Foxx\source\repos\BouncingForm\obj\Release\BouncingForm.pdb source: BouncingForm.exe
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: C:\Users\user\Desktop\BouncingForm.exeCode function: 0_2_06E01320 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_06E01320
Source: C:\Users\user\Desktop\BouncingForm.exeCode function: 0_2_024ADC340_2_024ADC34
Source: BouncingForm.exe, 00000000.00000002.2436388395.000000000083E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BouncingForm.exe
Source: classification engineClassification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\BouncingForm.exeMutant created: NULL
Source: BouncingForm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BouncingForm.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\BouncingForm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeSection loaded: wintypes.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BouncingForm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: BouncingForm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BouncingForm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: BouncingForm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Sky The Foxx\source\repos\BouncingForm\obj\Release\BouncingForm.pdb source: BouncingForm.exe
Source: BouncingForm.exeStatic PE information: 0xBE8412AB [Wed Apr 15 12:29:31 2071 UTC]
Source: C:\Users\user\Desktop\BouncingForm.exeCode function: 0_2_06E01540 push FFFFFFFBh; ret 0_2_06E0155C
Source: C:\Users\user\Desktop\BouncingForm.exeCode function: 0_2_06E00B81 push FFFFFFFBh; ret 0_2_06E00B95
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeMemory allocated: 24A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeMemory allocated: 4620000 memory reserve | memory write watchJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\BouncingForm.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Users\user\Desktop\BouncingForm.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\BouncingForm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		1
Input Capture		1
Virtualization/Sandbox Evasion		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory12
System Information Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Timestomp		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1671546 Sample: BouncingForm.exe Startdate: 23/04/2025 Architecture: WINDOWS Score: 4 4 BouncingForm.exe 2 2->4         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
BouncingForm.exe3%VirustotalBrowse
BouncingForm.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.typography.netDBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.com/designers/cabarga.htmlNBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.founder.com.cn/cn/cTheBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.comBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.com/designersGBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.galapagosdesign.com/staff/dennis.htmBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cnBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/frere-user.htmlBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers?BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/DPleaseBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers8BouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fonts.comBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.urwpp.deDPleaseBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.zhongyicts.com.cnBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.comBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.carterandcone.comlBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sajatypeworks.comBouncingForm.exe, 00000000.00000002.2439515663.00000000068E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1671546
                                                Start date and time:2025-04-23 00:47:09 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 4m 16s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:10
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:BouncingForm.exe
                                                Detection:CLEAN
                                                Classification:clean4.winEXE@1/0@0/0
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 98%
                                                • Number of executed functions: 12
                                                • Number of non-executed functions: 2
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 184.29.183.29, 131.253.33.254, 4.245.163.56, 4.175.87.197
                                                • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                No created / dropped files found

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):5.143488658528292
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:BouncingForm.exe
                                                File size:160'768 bytes
                                                MD5:f4e3dd5c1c2ce682a0513acefd3ab6a6
                                                SHA1:0000020d63fef00ebee299b5d8840c02dd00ae7a
                                                SHA256:ba1f7e27f288f06f787b1677013e6ddb65c0bf13e6d8997085948850a6ab9725
                                                SHA512:95aaad098f3522415a5c565a3d07e471902869640c00e97248d934862b6456e4ffab625b1a04f01334e4b3cdc8d844bda79643d712ee970d9a45a1ec8e3b95f2
                                                SSDEEP:1536:o6lanQ5siboLsdQJ0dJhY8txlpsXdiIkroJXdiIkroV:oo1x007xbKkOkw
                                                TLSH:C8F3CF127798CE26D42C07B24CA6EAFA57B27C543973911E31C5BF2F7BB23535902A06
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..j............... ........@.. ....................................`................................

                                                File Icon

                                                Icon Hash:90cececece8e8eb0

                                                Static PE Info

                                                General

                                                Entrypoint:0x4288f2
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0xBE8412AB [Wed Apr 15 12:29:31 2071 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                Instruction
                                                jmp dword ptr [00402000h]
                                                cmp al, 26h
                                                fldenv [26402642h]
                                                push 00000026h
                                                imul esp, dword ptr [esi], BAh
                                                and eax, 219525C4h
                                                mov dh, 00h
                                                lodsb
                                                and eax, 263B263Ah
                                                arpl word ptr [esi], sp
                                                pushad
                                                and ah, byte ptr [eax]
                                                fsub dword ptr [25B225CBh]
                                                mov esp, 59017E25h
                                                add dword ptr [ED00E901h], ecx
                                                add bh, bh
                                                add bh, ch
                                                add ah, ah
                                                add dh, dh
                                                add bl, dh
                                                add byte ptr [ecx+01h], ah
                                                sbb eax, dword ptr [ecx]
                                                pop edx
                                                and eax, 25692554h
                                                pushad
                                                and eax, 2567256Ch
                                                and eax, 21912565h
                                                mov al, byte ptr [3100B125h]
                                                add byte ptr [edx], dh
                                                add byte ptr [ebx], dh
                                                add byte ptr [eax+eax], dh
                                                xor eax, 37003600h
                                                add byte ptr [eax], bh
                                                add byte ptr [ecx], bh
                                                add byte ptr [ebx+01h], dl
                                                js 00007FFB71398EF3h
                                                mov esp, BE00BD00h
                                                add byte ptr [ecx+eax-5Dh], al
                                                add byte ptr [eax+eax+00C200A5h], ah
                                                mov byte ptr [C700C600h], al
                                                add byte ptr [ebx-51FF5400h], ch
                                                add ch, ah
                                                add bh, bl
                                                add al, bh
                                                add ch, dh
                                                add bh, dl
                                                add cl, dh
                                                add dh, ah
                                                add byte ptr [edx], bl
                                                and dh, byte ptr [ebp-5CDF58FDh]
                                                add eax, ebx
                                                add esi, dword ptr [ebp-7BDA7800h]
                                                and eax, 2590258Ch
                                                and byte ptr [03C0221Eh], 00000048h
                                                and al, dh
                                                add esi, dword ptr [edx+14222900h]
                                                and byte ptr [edx], ah
                                                and dword ptr [eax], eax
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2889d0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a0000x5cc.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x288000x38.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x269b80x26a009d3cc391d804534af68996addc818cc6False0.33885138551779936data5.154545514103658IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x2a0000x5cc0x6009bda10c72c4fcf825b7c8137ff68f7eaFalse0.4212239583333333data4.115450486367363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x2c0000xc0x200feb51a4d53d67c47d7337b62866cf500False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x2a0900x33cdata0.4166666666666667
                                                RT_MANIFEST0x2a3dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                DLLImport
                                                mscoree.dll_CorExeMain
                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                Comments
                                                CompanyName
                                                FileDescriptionBouncingForm
                                                FileVersion1.0.0.0
                                                InternalNameBouncingForm.exe
                                                LegalCopyrightCopyright 2023
                                                LegalTrademarks
                                                OriginalFilenameBouncingForm.exe
                                                ProductNameBouncingForm
                                                ProductVersion1.0.0.0
                                                Assembly Version1.0.0.0

                                                Network Behavior

                                                No network behavior found

                                                Statistics

                                                CPU Usage

                                                050100s020406080100

                                                Click to jump to process

                                                Memory Usage

                                                050100s0.00102030MB

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                • File
                                                • Registry

                                                Click to dive into process behavior distribution

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:18:48:08
                                                Start date:22/04/2025
                                                Path:C:\Users\user\Desktop\BouncingForm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\BouncingForm.exe"
                                                Imagebase:0x3a0000
                                                File size:160'768 bytes
                                                MD5 hash:F4E3DD5C1C2CE682A0513ACEFD3AB6A6
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false
                                                Show Windows behavior

                                                File Activities

                                                Show Windows behavior

                                                Section Activities

                                                Show Windows behavior

                                                Registry Activities

                                                Show Windows behavior

                                                Mutex Activities

                                                Show Windows behavior

                                                Process Activities

                                                Show Windows behavior

                                                Thread Activities

                                                Show Windows behavior

                                                Memory Activities

                                                Show Windows behavior

                                                System Activities

                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                Show Windows behavior

                                                Windows UI Activities

                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                Disassembly

                                                Execution Graph

                                                Execution Coverage

                                                Dynamic/Packed Code Coverage

                                                Signature Coverage

                                                Execution Coverage:9.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:5.3%
                                                Total number of Nodes:114
                                                Total number of Limit Nodes:12
                                                Show Legend
                                                Hide Nodes/Edges
                                                execution_graph 15926 24a4668 15927 24a4672 15926->15927 15931 24a4758 15926->15931 15936 24a3e1c 15927->15936 15929 24a468d 15932 24a477d 15931->15932 15940 24a4858 15932->15940 15944 24a4868 15932->15944 15937 24a3e27 15936->15937 15952 24a5bfc 15937->15952 15939 24a6fb3 15939->15929 15942 24a488f 15940->15942 15941 24a496c 15941->15941 15942->15941 15948 24a449c 15942->15948 15945 24a488f 15944->15945 15946 24a496c 15945->15946 15947 24a449c CreateActCtxA 15945->15947 15946->15946 15947->15946 15949 24a58f8 CreateActCtxA 15948->15949 15951 24a59bb 15949->15951 15953 24a5c07 15952->15953 15956 24a5c1c 15953->15956 15955 24a7055 15955->15939 15957 24a5c27 15956->15957 15960 24a5c4c 15957->15960 15959 24a713a 15959->15955 15961 24a5c57 15960->15961 15964 24a5c7c 15961->15964 15963 24a722d 15963->15959 15965 24a5c87 15964->15965 15966 24a8651 15965->15966 15968 24acda0 15965->15968 15966->15963 15969 24acdd1 15968->15969 15970 24acdf5 15969->15970 15973 24acf1d 15969->15973 15977 24acf60 15969->15977 15970->15966 15975 24acf6d 15973->15975 15974 24acfa7 15974->15970 15975->15974 15981 24ac898 15975->15981 15978 24acf6d 15977->15978 15979 24acfa7 15978->15979 15980 24ac898 2 API calls 15978->15980 15979->15970 15980->15979 15982 24ac89d 15981->15982 15984 24ad8b8 15982->15984 15985 24ac9c4 15982->15985 15986 24ac9cf 15985->15986 15987 24a5c7c 2 API calls 15986->15987 15988 24ad927 15987->15988 15989 24ad936 15988->15989 15992 24add9e 15988->15992 15996 24adda8 15988->15996 15989->15984 15994 24addd6 15992->15994 15993 24adea7 15994->15993 15995 24adea2 KiUserCallbackDispatcher 15994->15995 15995->15993 15997 24addd6 15996->15997 15998 24adea2 KiUserCallbackDispatcher 15997->15998 15999 24adea7 15997->15999 15998->15999 16047 24ad078 16048 24ad0be GetCurrentProcess 16047->16048 16050 24ad109 16048->16050 16051 24ad110 GetCurrentThread 16048->16051 16050->16051 16052 24ad14d GetCurrentProcess 16051->16052 16053 24ad146 16051->16053 16054 24ad183 16052->16054 16053->16052 16055 24ad1ab GetCurrentThreadId 16054->16055 16056 24ad1dc 16055->16056 16057 24aacf8 16058 24aad07 16057->16058 16061 24aade0 16057->16061 16066 24aadf0 16057->16066 16062 24aae01 16061->16062 16063 24aae24 16061->16063 16062->16063 16064 24ab028 GetModuleHandleW 16062->16064 16063->16058 16065 24ab055 16064->16065 16065->16058 16067 24aae24 16066->16067 16068 24aae01 16066->16068 16067->16058 16068->16067 16069 24ab028 GetModuleHandleW 16068->16069 16070 24ab055 16069->16070 16070->16058 16000 6e00a88 16001 6e00aa4 16000->16001 16004 6e00aad 16000->16004 16001->16004 16005 6e017a0 16001->16005 16009 6e01790 16001->16009 16013 6e017c0 16005->16013 16024 6e017d0 16005->16024 16006 6e017ac 16006->16004 16010 6e017ac 16009->16010 16011 6e017c0 5 API calls 16009->16011 16012 6e017d0 5 API calls 16009->16012 16010->16004 16011->16010 16012->16010 16014 6e017cf 16013->16014 16016 6e01852 16014->16016 16035 6e01320 GetKeyState 16014->16035 16016->16006 16018 6e01320 5 API calls 16021 6e018e1 16018->16021 16019 6e018b3 16019->16006 16020 6e018e5 16020->16006 16021->16020 16022 6e01320 5 API calls 16021->16022 16023 6e01906 16022->16023 16023->16006 16025 6e017e1 16024->16025 16026 6e01320 5 API calls 16025->16026 16027 6e01852 16025->16027 16028 6e0187f 16026->16028 16027->16006 16029 6e01320 5 API calls 16028->16029 16030 6e018b3 16028->16030 16032 6e018e1 16029->16032 16030->16006 16031 6e018e5 16031->16006 16032->16031 16033 6e01320 5 API calls 16032->16033 16034 6e01906 16033->16034 16034->16006 16037 6e01380 GetKeyState 16035->16037 16039 6e013c5 GetKeyState 16037->16039 16040 6e0140a GetKeyState 16039->16040 16042 6e0144f GetKeyState 16040->16042 16044 6e01494 16042->16044 16044->16018 16044->16019 16045 24ad2c0 DuplicateHandle 16046 24ad356 16045->16046

                                                Executed Functions

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 24ad069-24ad070 295 24ad02b-24ad067 294->295 296 24ad072-24ad107 GetCurrentProcess 294->296 303 24ad109-24ad10f 296->303 304 24ad110-24ad144 GetCurrentThread 296->304 303->304 305 24ad14d-24ad181 GetCurrentProcess 304->305 306 24ad146-24ad14c 304->306 309 24ad18a-24ad1a5 call 24ad248 305->309 310 24ad183-24ad189 305->310 306->305 314 24ad1ab-24ad1da GetCurrentThreadId 309->314 310->309 315 24ad1dc-24ad1e2 314->315 316 24ad1e3-24ad245 314->316 315->316
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 024AD0F6
                                                • GetCurrentThread.KERNEL32 ref: 024AD133
                                                • GetCurrentProcess.KERNEL32 ref: 024AD170
                                                • GetCurrentThreadId.KERNEL32 ref: 024AD1C9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID: 4'q
                                                • API String ID: 2063062207-1807707664
                                                • Opcode ID: c44c403ddd4abb7ae21b3622c165b73c95414de97a77a2fe36efa9606b523fd5
                                                • Instruction ID: 15172b5ab5d62f9ec1cfe94578dc78a357d8f00a94560529802d154253478a3a
                                                • Opcode Fuzzy Hash: c44c403ddd4abb7ae21b3622c165b73c95414de97a77a2fe36efa9606b523fd5
                                                • Instruction Fuzzy Hash: FF616AB0D01309CFEB15DFAAD988B9EBBF1EF88304F20809AD409A7250DB356945CF65

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 323 24ad078-24ad107 GetCurrentProcess 327 24ad109-24ad10f 323->327 328 24ad110-24ad144 GetCurrentThread 323->328 327->328 329 24ad14d-24ad181 GetCurrentProcess 328->329 330 24ad146-24ad14c 328->330 332 24ad18a-24ad1a5 call 24ad248 329->332 333 24ad183-24ad189 329->333 330->329 336 24ad1ab-24ad1da GetCurrentThreadId 332->336 333->332 337 24ad1dc-24ad1e2 336->337 338 24ad1e3-24ad245 336->338 337->338
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 024AD0F6
                                                • GetCurrentThread.KERNEL32 ref: 024AD133
                                                • GetCurrentProcess.KERNEL32 ref: 024AD170
                                                • GetCurrentThreadId.KERNEL32 ref: 024AD1C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 182960f30f22b523598122ea1edc593a349ac74ed046062a34bf1672abd3735a
                                                • Instruction ID: 1f99ab6baf072ab56d359775e0a8c4c6d2376b2f979f1bfbd3657d644c3cc806
                                                • Opcode Fuzzy Hash: 182960f30f22b523598122ea1edc593a349ac74ed046062a34bf1672abd3735a
                                                • Instruction Fuzzy Hash: 975158B0D01309CFEB14DFAAD548B9EBBF1EB88304F20849AD419A7350DB35A944CF65

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 461 24aadf0-24aadff 462 24aae2b-24aae2f 461->462 463 24aae01-24aae0e call 24a97f8 461->463 464 24aae43-24aae84 462->464 465 24aae31-24aae3b 462->465 468 24aae10 463->468 469 24aae24 463->469 472 24aae91-24aae9f 464->472 473 24aae86-24aae8e 464->473 465->464 516 24aae16 call 24ab078 468->516 517 24aae16 call 24ab088 468->517 469->462 475 24aaec3-24aaec5 472->475 476 24aaea1-24aaea6 472->476 473->472 474 24aae1c-24aae1e 474->469 479 24aaf60-24ab020 474->479 480 24aaec8-24aaecf 475->480 477 24aaea8-24aaeaf call 24aa7d4 476->477 478 24aaeb1 476->478 482 24aaeb3-24aaec1 477->482 478->482 511 24ab028-24ab053 GetModuleHandleW 479->511 512 24ab022-24ab025 479->512 483 24aaedc-24aaee3 480->483 484 24aaed1-24aaed9 480->484 482->480 486 24aaef0-24aaef9 call 24aa7e4 483->486 487 24aaee5-24aaeed 483->487 484->483 492 24aaefb-24aaf03 486->492 493 24aaf06-24aaf0b 486->493 487->486 492->493 495 24aaf29-24aaf36 493->495 496 24aaf0d-24aaf14 493->496 502 24aaf38-24aaf56 495->502 503 24aaf59-24aaf5f 495->503 496->495 497 24aaf16-24aaf26 call 24aa7f4 call 24aa804 496->497 497->495 502->503 513 24ab05c-24ab070 511->513 514 24ab055-24ab05b 511->514 512->511 514->513 516->474 517->474
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 024AB046
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 43a6291ca4b6a292f6257083fcf17a687cafdf70cfcdbfc0dfcc9a4a97d48e09
                                                • Instruction ID: c1f45ca827b5d81aa1b484e3ab87106f3b06b5ed123a7232eb88f1ccd5be9421
                                                • Opcode Fuzzy Hash: 43a6291ca4b6a292f6257083fcf17a687cafdf70cfcdbfc0dfcc9a4a97d48e09
                                                • Instruction Fuzzy Hash: 88711370A00B158FEB24DF2AD46575BBBF1FF88204F10892ED48A9BB40D775E949CB91

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 518 24a449c-24a59b9 CreateActCtxA 521 24a59bb-24a59c1 518->521 522 24a59c2-24a5a1c 518->522 521->522 529 24a5a2b-24a5a2f 522->529 530 24a5a1e-24a5a21 522->530 531 24a5a40-24a5a70 529->531 532 24a5a31-24a5a3d 529->532 530->529 536 24a5a22-24a5a27 531->536 537 24a5a72-24a5af4 531->537 532->531 536->529
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 024A59A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: c6fcd50b8b9033fb0ba5c0de9202192735b36f4bea91ca58f8554235dcddb1ff
                                                • Instruction ID: b574fda033923330e460677cbe1c8335c47b12655a0ab6a476a97acc642c3d2e
                                                • Opcode Fuzzy Hash: c6fcd50b8b9033fb0ba5c0de9202192735b36f4bea91ca58f8554235dcddb1ff
                                                • Instruction Fuzzy Hash: 4F4102B0D00719CFEB24CFA9C9847CEBBB5BF49304F6080AAD409AB251DB75694ACF50

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 540 24a58ed-24a58f3 541 24a58fc-24a59b9 CreateActCtxA 540->541 543 24a59bb-24a59c1 541->543 544 24a59c2-24a5a1c 541->544 543->544 551 24a5a2b-24a5a2f 544->551 552 24a5a1e-24a5a21 544->552 553 24a5a40-24a5a70 551->553 554 24a5a31-24a5a3d 551->554 552->551 558 24a5a22-24a5a27 553->558 559 24a5a72-24a5af4 553->559 554->553 558->551
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 024A59A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 043f7bdefc8af9f9ddedfaa916cf1e76ca02081586d35a8e65d62c48a90d00b5
                                                • Instruction ID: 9ac7ea1fe1266dfbe6f5e4a0dc723bd3802e0de8f6b21e00ebba5d1780e38e36
                                                • Opcode Fuzzy Hash: 043f7bdefc8af9f9ddedfaa916cf1e76ca02081586d35a8e65d62c48a90d00b5
                                                • Instruction Fuzzy Hash: 3D41FFB0D10719CFEB24DFA9C9847CEBBB5BF49304F6080AAD409AB251DB75694ACF50

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 567 24ad2c0-24ad354 DuplicateHandle 568 24ad35d-24ad37a 567->568 569 24ad356-24ad35c 567->569 569->568
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 024AD347
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 1066d9f40f83cc25c1d85c5aafc1ce7442b022a77fe9c748834cd98e25c4689b
                                                • Instruction ID: c49d1ec99c15ce3aa47da2fc316d296f374d5b9c5219c1cd96b97771d61a3f87
                                                • Opcode Fuzzy Hash: 1066d9f40f83cc25c1d85c5aafc1ce7442b022a77fe9c748834cd98e25c4689b
                                                • Instruction Fuzzy Hash: 3021C2B5D00248DFDB10CFAAD984ADEBBF8EB48310F14841AE918A7350D379A954CFA5

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 562 24ad2b9-24ad354 DuplicateHandle 563 24ad35d-24ad37a 562->563 564 24ad356-24ad35c 562->564 564->563
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 024AD347
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: cd4c2c105e38a34b4937a51819d7e70f75774aafd19168935eb5f682a94c700d
                                                • Instruction ID: f5506cefc3350074ffb47956fdfae61ea2202719ced249a451d758b91e0d9154
                                                • Opcode Fuzzy Hash: cd4c2c105e38a34b4937a51819d7e70f75774aafd19168935eb5f682a94c700d
                                                • Instruction Fuzzy Hash: C021F3B6D00208DFDB10CFAAD584ADEBBF5FB48324F24841AE918A7310C378A954CF64

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 572 24aafe0-24ab020 573 24ab028-24ab053 GetModuleHandleW 572->573 574 24ab022-24ab025 572->574 575 24ab05c-24ab070 573->575 576 24ab055-24ab05b 573->576 574->573 576->575
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 024AB046
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: a8dd20ad978e475fea23eb6ddefe5d030949f67818d45f280aa2bba829ad09ba
                                                • Instruction ID: 1a074d70fced612aae78d7225949b810ce4bcad6739aec0c130a79e8fa129d2e
                                                • Opcode Fuzzy Hash: a8dd20ad978e475fea23eb6ddefe5d030949f67818d45f280aa2bba829ad09ba
                                                • Instruction Fuzzy Hash: 47110FB6C003498FDB20CF9AC544ADFFBF4EB88214F10842AD429A7700C379A549CFA1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437514381.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_245d000_BouncingForm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcaad14a06fab88adce429e074431b467dfffdfd30cc21e056ccb2f4f02ce0e4
                                                • Instruction ID: 9f461345165ba57cb3f9f42b9cad59803dec10796df2fa2193fa2b2f9abb514c
                                                • Opcode Fuzzy Hash: dcaad14a06fab88adce429e074431b467dfffdfd30cc21e056ccb2f4f02ce0e4
                                                • Instruction Fuzzy Hash: 1421A171904204DFDB15DF10D9C0B16BBA5FF84214F24C56EEC894F392C776D456CA61
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437514381.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_245d000_BouncingForm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2b63b549a990f3cfede98fcaf6bc9f9201821d66e36c51ef8c620656e645ef8
                                                • Instruction ID: a6c7f63762b96b8cd9c7120e9413928c95983373b2567385ff634650d9c8de68
                                                • Opcode Fuzzy Hash: b2b63b549a990f3cfede98fcaf6bc9f9201821d66e36c51ef8c620656e645ef8
                                                • Instruction Fuzzy Hash: 3A21CF71A04200DFDB14DF10D9C0B16BBA5EF84618F24C56ADC8A4B397C33AD447CE62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437514381.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_245d000_BouncingForm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b21b69c0ae47bb26b2982302b6499dd24e88dab8b0a36e382e00a9a3f62c464c
                                                • Instruction ID: 9c1bf66f15abedc15d00a5841d5c2a3a781e1f3c13b8849d9221d7bb3ea1fa7d
                                                • Opcode Fuzzy Hash: b21b69c0ae47bb26b2982302b6499dd24e88dab8b0a36e382e00a9a3f62c464c
                                                • Instruction Fuzzy Hash: 21218675508380DFCB06CF14D594716BF71EF46214F28C5DAD8894F2A7C33A9816CB62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437514381.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_245d000_BouncingForm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c17b561b3a2f5ccd6137e25a4bf8f6687a509af5f5175a698926a0964df509aa
                                                • Instruction ID: 4cef7c6ca1caf00ce27871028810a00fb3188babc4c7be7eb142e9a08dd8ad2a
                                                • Opcode Fuzzy Hash: c17b561b3a2f5ccd6137e25a4bf8f6687a509af5f5175a698926a0964df509aa
                                                • Instruction Fuzzy Hash: 25117975904280DFCB15CF10D5C4B16BBA1FB84214F28C6AAEC894F796C33AD45ACB61

                                                Non-executed Functions

                                                APIs
                                                • GetKeyState.USER32(00000001), ref: 06E0136D
                                                • GetKeyState.USER32(00000002), ref: 06E013B2
                                                • GetKeyState.USER32(00000004), ref: 06E013F7
                                                • GetKeyState.USER32(00000005), ref: 06E0143C
                                                • GetKeyState.USER32(00000006), ref: 06E01481
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2439864342.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6e00000_BouncingForm.jbxd
                                                Similarity
                                                • API ID: State
                                                • String ID:
                                                • API String ID: 1649606143-0
                                                • Opcode ID: bcc604f8bc37da3bbd7a734732b7773442ab0032113fd963d19da45f012c1477
                                                • Instruction ID: 37979244ac6f57c90e1b094ec93f0bc6a2041e9417872327f9d07b6898206a8e
                                                • Opcode Fuzzy Hash: bcc604f8bc37da3bbd7a734732b7773442ab0032113fd963d19da45f012c1477
                                                • Instruction Fuzzy Hash: 93417E71C017459EFB21CF99D9583EFBFF4EB04308F209459D058AB691D3B89585CBA2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2437740183.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_24a0000_BouncingForm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d2d227523d7202a7f2d614257a0bec118dc91316ecd710a328d167b86e8a9ff
                                                • Instruction ID: 8ab5e66dd120311e95b4aac284098164e44c668596961f8c38032e037309957d
                                                • Opcode Fuzzy Hash: 0d2d227523d7202a7f2d614257a0bec118dc91316ecd710a328d167b86e8a9ff
                                                • Instruction Fuzzy Hash: 26A19C32E00209CFCF05DFB5C85059EB7B2FF99300B55816AE905AB264DB76E91ACF80