Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788

Overview

General Information

Sample Name:SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788 (renamed file extension from 27788 to exe)
Analysis ID:255686
MD5:8c5fad5ff5c2c0af9ce18b5130f3d43c
SHA1:0e2cb2a9fd256afdb2a877fa0b8fbe6c7d30c6b4
SHA256:f11bf0f5b97161b5d27b4cbbc02fae52957df15646513874df10bc06d1d4e5df

Detection

FormBook
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bf26:$s5: AEAAAAMAAQqVT
  • 0x3be97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.237359123.00000000027E1000.00000004.00000001.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0xf84b:$s5: AEAAAAMAAQqVT
00000000.00000002.236101752.0000000000042000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bd26:$s5: AEAAAAMAAQqVT
  • 0x3bc97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.232837094.0000000000042000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bd26:$s5: AEAAAAMAAQqVT
  • 0x3bc97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.238011323.0000000000AB2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bd26:$s5: AEAAAAMAAQqVT
  • 0x3bc97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000000.235578954.0000000000AB2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bd26:$s5: AEAAAAMAAQqVT
  • 0x3bc97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Click to see the 8 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.ab0000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bf26:$s5: AEAAAAMAAQqVT
  • 0x3be97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
1.0.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.ab0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bf26:$s5: AEAAAAMAAQqVT
  • 0x3be97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.40000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bf26:$s5: AEAAAAMAAQqVT
  • 0x3be97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0.0.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.40000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3bf26:$s5: AEAAAAMAAQqVT
  • 0x3be97:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
    Click to see the 5 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for sampleShow sources
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 4x nop then pop esi1_2_00417379
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeString found in binary or memory: https://code-projects.org/

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00419830 NtCreateFile,1_2_00419830
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_004198E0 NtReadFile,1_2_004198E0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00419960 NtClose,1_2_00419960
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00419A10 NtAllocateVirtualMemory,1_2_00419A10
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00419A0B NtAllocateVirtualMemory,1_2_00419A0B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01589860
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01589660
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_015896E0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589950 NtQueueApcThread,1_2_01589950
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589910 NtAdjustPrivilegesToken,1_2_01589910
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015899D0 NtCreateProcessEx,1_2_015899D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015899A0 NtCreateSection,1_2_015899A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0158B040 NtSuspendThread,1_2_0158B040
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589840 NtDelayExecution,1_2_01589840
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589820 NtEnumerateKey,1_2_01589820
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015898F0 NtReadVirtualMemory,1_2_015898F0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015898A0 NtWriteVirtualMemory,1_2_015898A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589B00 NtSetValueKey,1_2_01589B00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0158A3B0 NtGetContextThread,1_2_0158A3B0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589A50 NtCreateFile,1_2_01589A50
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589A10 NtQuerySection,1_2_01589A10
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589A00 NtProtectVirtualMemory,1_2_01589A00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589A20 NtResumeThread,1_2_01589A20
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589A80 NtOpenDirectoryObject,1_2_01589A80
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589540 NtReadFile,1_2_01589540
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589560 NtWriteFile,1_2_01589560
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0158AD30 NtSetContextThread,1_2_0158AD30
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589520 NtWaitForSingleObject,1_2_01589520
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015895D0 NtClose,1_2_015895D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015895F0 NtQueryInformationFile,1_2_015895F0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0158A770 NtOpenThread,1_2_0158A770
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589770 NtSetInformationFile,1_2_01589770
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589760 NtOpenProcess,1_2_01589760
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589710 NtQueryInformationToken,1_2_01589710
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0158A710 NtOpenProcessToken,1_2_0158A710
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589730 NtQueryVirtualMemory,1_2_01589730
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A015C80_2_04A015C8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A009300_2_04A00930
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A028680_2_04A02868
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A01BE60_2_04A01BE6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A009F00_2_04A009F0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A029100_2_04A02910
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 0_2_04A0167A0_2_04A0167A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_004010301_2_00401030
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_004011741_2_00401174
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041CCBA1_2_0041CCBA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041DD661_2_0041DD66
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00402D901_2_00402D90
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041D6D01_2_0041D6D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00409F5B1_2_00409F5B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00409F601_2_00409F60
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041C7931_2_0041C793
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00402FB01_2_00402FB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154F9001_2_0154F900
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015641201_2_01564120
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155C1C01_2_0155C1C0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015629901_2_01562990
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0161E8241_2_0161E824
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015468001_2_01546800
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016010021_2_01601002
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A8301_2_0156A830
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016128EC1_2_016128EC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B0901_2_0155B090
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016120A81_2_016120A8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A01_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015ECB4F1_2_015ECB4F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156AB401_2_0156AB40
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015633601_2_01563360
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01612B281_2_01612B28
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A3091_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160231B1_2_0160231B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157ABD81_2_0157ABD8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01598BE81_2_01598BE8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160DBD21_2_0160DBD2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016003DA1_2_016003DA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F23E31_2_015F23E3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156EB9A1_2_0156EB9A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015EEB8A1_2_015EEB8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157138B1_2_0157138B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157EBB01_2_0157EBB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B2361_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015FFA2B1_2_015FFA2B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160E2C51_2_0160E2C5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016132A91_2_016132A9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016122AE1_2_016122AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01562D501_2_01562D50
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01611D551_2_01611D55
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01612D071_2_01612D07
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01540D201_2_01540D20
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155D5E01_2_0155D5E0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016125DD1_2_016125DD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015725811_2_01572581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D821_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015765A01_2_015765A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160D4661_2_0160D466
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B4771_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155841F1_2_0155841F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015624301_2_01562430
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574CD41_2_01574CD4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016044961_2_01604496
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016067E21_2_016067E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01611FF11_2_01611FF1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: String function: 015D5720 appears 72 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: String function: 0159D08C appears 37 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: String function: 0154B150 appears 149 times
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000000.00000002.237961534.00000000037E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAndroidStudio.dll< vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000000.00000002.237372204.00000000027FC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLazarus.exe4 vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000000.00000002.236196756.00000000000B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHevkl.exe6 vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000000.00000002.239365264.0000000004930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000001.00000002.239175975.000000000163F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000001.00000000.235637004.0000000000B24000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHevkl.exe6 vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeBinary or memory string: OriginalFilenameHevkl.exe6 vs SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.237359123.00000000027E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.236101752.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000000.232837094.0000000000042000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000002.238011323.0000000000AB2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000000.235578954.0000000000AB2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe PID: 7136, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe PID: 7108, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.0.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.0.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: classification engineClassification label: mal68.troj.evad.winEXE@3/1@0/0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.logJump to behavior
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe {path}
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000001.00000002.239175975.000000000163F000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
    Source: Binary string: mscorrc.pdb source: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe, 00000000.00000002.239365264.0000000004930000.00000002.00000001.sdmp
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_004170A5 pushfd ; retf 1_2_004170BB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_004170B5 pushfd ; retf 1_2_004170BB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0040E951 push ss; iretd 1_2_0040E952
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041E164 push 55C4DB81h; retf 1_2_0041E169
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041DAA9 push dword ptr [17C46FD6h]; ret 1_2_0041DACD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0040F303 push esp; iretd 1_2_0040F309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00403B05 pushfd ; ret 1_2_00403B06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00419B32 pushfd ; iretd 1_2_00419B38
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041C6F2 push eax; ret 1_2_0041C6F8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041C6FB push eax; ret 1_2_0041C762
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00401697 push ebp; iretd 1_2_0040169A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041C6A5 push eax; ret 1_2_0041C6F8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0041C75C push eax; ret 1_2_0041C762
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0159D0D1 push ecx; ret 1_2_0159D0E4
    Source: initial sampleStatic PE information: section name: .text entropy: 7.30316504708
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00409A50 rdtsc 1_2_00409A50
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe TID: 7112Thread sleep time: -33000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe TID: 7128Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_00409A50 rdtsc 1_2_00409A50
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01589860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01589860
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160E962 mov eax, dword ptr fs:[00000030h]1_2_0160E962
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618966 mov eax, dword ptr fs:[00000030h]1_2_01618966
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154395E mov eax, dword ptr fs:[00000030h]1_2_0154395E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154395E mov eax, dword ptr fs:[00000030h]1_2_0154395E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B944 mov eax, dword ptr fs:[00000030h]1_2_0156B944
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B944 mov eax, dword ptr fs:[00000030h]1_2_0156B944
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154B171 mov eax, dword ptr fs:[00000030h]1_2_0154B171
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154B171 mov eax, dword ptr fs:[00000030h]1_2_0154B171
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601951 mov eax, dword ptr fs:[00000030h]1_2_01601951
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154C962 mov eax, dword ptr fs:[00000030h]1_2_0154C962
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549100 mov eax, dword ptr fs:[00000030h]1_2_01549100
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549100 mov eax, dword ptr fs:[00000030h]1_2_01549100
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549100 mov eax, dword ptr fs:[00000030h]1_2_01549100
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01550100 mov eax, dword ptr fs:[00000030h]1_2_01550100
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01550100 mov eax, dword ptr fs:[00000030h]1_2_01550100
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01550100 mov eax, dword ptr fs:[00000030h]1_2_01550100
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01543138 mov ecx, dword ptr fs:[00000030h]1_2_01543138
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157513A mov eax, dword ptr fs:[00000030h]1_2_0157513A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157513A mov eax, dword ptr fs:[00000030h]1_2_0157513A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01564120 mov eax, dword ptr fs:[00000030h]1_2_01564120
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01564120 mov ecx, dword ptr fs:[00000030h]1_2_01564120
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016189E7 mov eax, dword ptr fs:[00000030h]1_2_016189E7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015599C7 mov eax, dword ptr fs:[00000030h]1_2_015599C7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015599C7 mov eax, dword ptr fs:[00000030h]1_2_015599C7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015599C7 mov eax, dword ptr fs:[00000030h]1_2_015599C7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015599C7 mov eax, dword ptr fs:[00000030h]1_2_015599C7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155C1C0 mov eax, dword ptr fs:[00000030h]1_2_0155C1C0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015431E0 mov eax, dword ptr fs:[00000030h]1_2_015431E0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015D41E8 mov eax, dword ptr fs:[00000030h]1_2_015D41E8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154B1E1 mov eax, dword ptr fs:[00000030h]1_2_0154B1E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154B1E1 mov eax, dword ptr fs:[00000030h]1_2_0154B1E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154B1E1 mov eax, dword ptr fs:[00000030h]1_2_0154B1E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016019D8 mov eax, dword ptr fs:[00000030h]1_2_016019D8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016049A4 mov eax, dword ptr fs:[00000030h]1_2_016049A4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572990 mov eax, dword ptr fs:[00000030h]1_2_01572990
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574190 mov eax, dword ptr fs:[00000030h]1_2_01574190
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154519E mov eax, dword ptr fs:[00000030h]1_2_0154519E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154519E mov ecx, dword ptr fs:[00000030h]1_2_0154519E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157A185 mov eax, dword ptr fs:[00000030h]1_2_0157A185
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156C182 mov eax, dword ptr fs:[00000030h]1_2_0156C182
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0161F1B5 mov eax, dword ptr fs:[00000030h]1_2_0161F1B5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0161F1B5 mov eax, dword ptr fs:[00000030h]1_2_0161F1B5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C51BE mov eax, dword ptr fs:[00000030h]1_2_015C51BE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157C9BF mov eax, dword ptr fs:[00000030h]1_2_0157C9BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157C9BF mov eax, dword ptr fs:[00000030h]1_2_0157C9BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov ecx, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015699BF mov eax, dword ptr fs:[00000030h]1_2_015699BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160A189 mov eax, dword ptr fs:[00000030h]1_2_0160A189
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160A189 mov ecx, dword ptr fs:[00000030h]1_2_0160A189
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015561A7 mov eax, dword ptr fs:[00000030h]1_2_015561A7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015561A7 mov eax, dword ptr fs:[00000030h]1_2_015561A7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015561A7 mov eax, dword ptr fs:[00000030h]1_2_015561A7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015561A7 mov eax, dword ptr fs:[00000030h]1_2_015561A7
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015761A0 mov eax, dword ptr fs:[00000030h]1_2_015761A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015761A0 mov eax, dword ptr fs:[00000030h]1_2_015761A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C69A6 mov eax, dword ptr fs:[00000030h]1_2_015C69A6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01547057 mov eax, dword ptr fs:[00000030h]1_2_01547057
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545050 mov eax, dword ptr fs:[00000030h]1_2_01545050
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545050 mov eax, dword ptr fs:[00000030h]1_2_01545050
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545050 mov eax, dword ptr fs:[00000030h]1_2_01545050
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01560050 mov eax, dword ptr fs:[00000030h]1_2_01560050
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01560050 mov eax, dword ptr fs:[00000030h]1_2_01560050
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602073 mov eax, dword ptr fs:[00000030h]1_2_01602073
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01611074 mov eax, dword ptr fs:[00000030h]1_2_01611074
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601843 mov eax, dword ptr fs:[00000030h]1_2_01601843
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156F86D mov eax, dword ptr fs:[00000030h]1_2_0156F86D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C7016 mov eax, dword ptr fs:[00000030h]1_2_015C7016
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C7016 mov eax, dword ptr fs:[00000030h]1_2_015C7016
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C7016 mov eax, dword ptr fs:[00000030h]1_2_015C7016
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D mov eax, dword ptr fs:[00000030h]1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D mov eax, dword ptr fs:[00000030h]1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D mov eax, dword ptr fs:[00000030h]1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D mov eax, dword ptr fs:[00000030h]1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D mov eax, dword ptr fs:[00000030h]1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157701D mov eax, dword ptr fs:[00000030h]1_2_0157701D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01546800 mov eax, dword ptr fs:[00000030h]1_2_01546800
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01546800 mov eax, dword ptr fs:[00000030h]1_2_01546800
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01546800 mov eax, dword ptr fs:[00000030h]1_2_01546800
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A830 mov eax, dword ptr fs:[00000030h]1_2_0156A830
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01614015 mov eax, dword ptr fs:[00000030h]1_2_01614015
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01614015 mov eax, dword ptr fs:[00000030h]1_2_01614015
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574020 mov edi, dword ptr fs:[00000030h]1_2_01574020
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157002D mov eax, dword ptr fs:[00000030h]1_2_0157002D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157002D mov eax, dword ptr fs:[00000030h]1_2_0157002D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157002D mov eax, dword ptr fs:[00000030h]1_2_0157002D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157002D mov eax, dword ptr fs:[00000030h]1_2_0157002D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157002D mov eax, dword ptr fs:[00000030h]1_2_0157002D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B02A mov eax, dword ptr fs:[00000030h]1_2_0155B02A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B02A mov eax, dword ptr fs:[00000030h]1_2_0155B02A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B02A mov eax, dword ptr fs:[00000030h]1_2_0155B02A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B02A mov eax, dword ptr fs:[00000030h]1_2_0155B02A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015478D6 mov eax, dword ptr fs:[00000030h]1_2_015478D6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015478D6 mov eax, dword ptr fs:[00000030h]1_2_015478D6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015478D6 mov ecx, dword ptr fs:[00000030h]1_2_015478D6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DB8D0 mov eax, dword ptr fs:[00000030h]1_2_015DB8D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DB8D0 mov ecx, dword ptr fs:[00000030h]1_2_015DB8D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DB8D0 mov eax, dword ptr fs:[00000030h]1_2_015DB8D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DB8D0 mov eax, dword ptr fs:[00000030h]1_2_015DB8D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DB8D0 mov eax, dword ptr fs:[00000030h]1_2_015DB8D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DB8D0 mov eax, dword ptr fs:[00000030h]1_2_015DB8D0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015470C0 mov eax, dword ptr fs:[00000030h]1_2_015470C0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015470C0 mov eax, dword ptr fs:[00000030h]1_2_015470C0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528FD mov eax, dword ptr fs:[00000030h]1_2_015528FD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528FD mov eax, dword ptr fs:[00000030h]1_2_015528FD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528FD mov eax, dword ptr fs:[00000030h]1_2_015528FD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016018CA mov eax, dword ptr fs:[00000030h]1_2_016018CA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B8E4 mov eax, dword ptr fs:[00000030h]1_2_0156B8E4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B8E4 mov eax, dword ptr fs:[00000030h]1_2_0156B8E4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015440E1 mov eax, dword ptr fs:[00000030h]1_2_015440E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015440E1 mov eax, dword ptr fs:[00000030h]1_2_015440E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015440E1 mov eax, dword ptr fs:[00000030h]1_2_015440E1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015458EC mov eax, dword ptr fs:[00000030h]1_2_015458EC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549080 mov eax, dword ptr fs:[00000030h]1_2_01549080
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01543880 mov eax, dword ptr fs:[00000030h]1_2_01543880
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01543880 mov eax, dword ptr fs:[00000030h]1_2_01543880
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C3884 mov eax, dword ptr fs:[00000030h]1_2_015C3884
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C3884 mov eax, dword ptr fs:[00000030h]1_2_015C3884
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157F0BF mov ecx, dword ptr fs:[00000030h]1_2_0157F0BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157F0BF mov eax, dword ptr fs:[00000030h]1_2_0157F0BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157F0BF mov eax, dword ptr fs:[00000030h]1_2_0157F0BF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015890AF mov eax, dword ptr fs:[00000030h]1_2_015890AF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A0 mov eax, dword ptr fs:[00000030h]1_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A0 mov eax, dword ptr fs:[00000030h]1_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A0 mov eax, dword ptr fs:[00000030h]1_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A0 mov eax, dword ptr fs:[00000030h]1_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A0 mov eax, dword ptr fs:[00000030h]1_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015720A0 mov eax, dword ptr fs:[00000030h]1_2_015720A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015778A0 mov eax, dword ptr fs:[00000030h]1_2_015778A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528AE mov eax, dword ptr fs:[00000030h]1_2_015528AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528AE mov eax, dword ptr fs:[00000030h]1_2_015528AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528AE mov eax, dword ptr fs:[00000030h]1_2_015528AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528AE mov ecx, dword ptr fs:[00000030h]1_2_015528AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528AE mov eax, dword ptr fs:[00000030h]1_2_015528AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015528AE mov eax, dword ptr fs:[00000030h]1_2_015528AE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154F358 mov eax, dword ptr fs:[00000030h]1_2_0154F358
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573B5A mov eax, dword ptr fs:[00000030h]1_2_01573B5A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573B5A mov eax, dword ptr fs:[00000030h]1_2_01573B5A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573B5A mov eax, dword ptr fs:[00000030h]1_2_01573B5A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573B5A mov eax, dword ptr fs:[00000030h]1_2_01573B5A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154DB40 mov eax, dword ptr fs:[00000030h]1_2_0154DB40
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155F370 mov eax, dword ptr fs:[00000030h]1_2_0155F370
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155F370 mov eax, dword ptr fs:[00000030h]1_2_0155F370
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155F370 mov eax, dword ptr fs:[00000030h]1_2_0155F370
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573B7A mov eax, dword ptr fs:[00000030h]1_2_01573B7A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573B7A mov eax, dword ptr fs:[00000030h]1_2_01573B7A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154DB60 mov ecx, dword ptr fs:[00000030h]1_2_0154DB60
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015D6365 mov eax, dword ptr fs:[00000030h]1_2_015D6365
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015D6365 mov eax, dword ptr fs:[00000030h]1_2_015D6365
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015D6365 mov eax, dword ptr fs:[00000030h]1_2_015D6365
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618B58 mov eax, dword ptr fs:[00000030h]1_2_01618B58
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A309 mov eax, dword ptr fs:[00000030h]1_2_0156A309
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160131B mov eax, dword ptr fs:[00000030h]1_2_0160131B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015753C5 mov eax, dword ptr fs:[00000030h]1_2_015753C5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C53CA mov eax, dword ptr fs:[00000030h]1_2_015C53CA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C53CA mov eax, dword ptr fs:[00000030h]1_2_015C53CA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015703E2 mov eax, dword ptr fs:[00000030h]1_2_015703E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015703E2 mov eax, dword ptr fs:[00000030h]1_2_015703E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015703E2 mov eax, dword ptr fs:[00000030h]1_2_015703E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015703E2 mov eax, dword ptr fs:[00000030h]1_2_015703E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015703E2 mov eax, dword ptr fs:[00000030h]1_2_015703E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015703E2 mov eax, dword ptr fs:[00000030h]1_2_015703E2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F23E3 mov ecx, dword ptr fs:[00000030h]1_2_015F23E3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F23E3 mov ecx, dword ptr fs:[00000030h]1_2_015F23E3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F23E3 mov eax, dword ptr fs:[00000030h]1_2_015F23E3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01541BE9 mov eax, dword ptr fs:[00000030h]1_2_01541BE9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156DBE9 mov eax, dword ptr fs:[00000030h]1_2_0156DBE9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572397 mov eax, dword ptr fs:[00000030h]1_2_01572397
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01544B94 mov edi, dword ptr fs:[00000030h]1_2_01544B94
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01615BA5 mov eax, dword ptr fs:[00000030h]1_2_01615BA5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157B390 mov eax, dword ptr fs:[00000030h]1_2_0157B390
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601BA8 mov eax, dword ptr fs:[00000030h]1_2_01601BA8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156EB9A mov eax, dword ptr fs:[00000030h]1_2_0156EB9A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156EB9A mov eax, dword ptr fs:[00000030h]1_2_0156EB9A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015EEB8A mov ecx, dword ptr fs:[00000030h]1_2_015EEB8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015EEB8A mov eax, dword ptr fs:[00000030h]1_2_015EEB8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015EEB8A mov eax, dword ptr fs:[00000030h]1_2_015EEB8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015EEB8A mov eax, dword ptr fs:[00000030h]1_2_015EEB8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618BB6 mov eax, dword ptr fs:[00000030h]1_2_01618BB6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01551B8F mov eax, dword ptr fs:[00000030h]1_2_01551B8F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01551B8F mov eax, dword ptr fs:[00000030h]1_2_01551B8F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157138B mov eax, dword ptr fs:[00000030h]1_2_0157138B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157138B mov eax, dword ptr fs:[00000030h]1_2_0157138B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157138B mov eax, dword ptr fs:[00000030h]1_2_0157138B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015FD380 mov ecx, dword ptr fs:[00000030h]1_2_015FD380
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01619BBE mov eax, dword ptr fs:[00000030h]1_2_01619BBE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160138A mov eax, dword ptr fs:[00000030h]1_2_0160138A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574BAD mov eax, dword ptr fs:[00000030h]1_2_01574BAD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574BAD mov eax, dword ptr fs:[00000030h]1_2_01574BAD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574BAD mov eax, dword ptr fs:[00000030h]1_2_01574BAD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618A62 mov eax, dword ptr fs:[00000030h]1_2_01618A62
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015D4257 mov eax, dword ptr fs:[00000030h]1_2_015D4257
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549240 mov eax, dword ptr fs:[00000030h]1_2_01549240
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549240 mov eax, dword ptr fs:[00000030h]1_2_01549240
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549240 mov eax, dword ptr fs:[00000030h]1_2_01549240
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01549240 mov eax, dword ptr fs:[00000030h]1_2_01549240
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0158927A mov eax, dword ptr fs:[00000030h]1_2_0158927A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01585A69 mov eax, dword ptr fs:[00000030h]1_2_01585A69
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01585A69 mov eax, dword ptr fs:[00000030h]1_2_01585A69
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01585A69 mov eax, dword ptr fs:[00000030h]1_2_01585A69
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160EA55 mov eax, dword ptr fs:[00000030h]1_2_0160EA55
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015FB260 mov eax, dword ptr fs:[00000030h]1_2_015FB260
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015FB260 mov eax, dword ptr fs:[00000030h]1_2_015FB260
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601A5F mov eax, dword ptr fs:[00000030h]1_2_01601A5F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154AA16 mov eax, dword ptr fs:[00000030h]1_2_0154AA16
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154AA16 mov eax, dword ptr fs:[00000030h]1_2_0154AA16
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545210 mov eax, dword ptr fs:[00000030h]1_2_01545210
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545210 mov ecx, dword ptr fs:[00000030h]1_2_01545210
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545210 mov eax, dword ptr fs:[00000030h]1_2_01545210
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545210 mov eax, dword ptr fs:[00000030h]1_2_01545210
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601229 mov eax, dword ptr fs:[00000030h]1_2_01601229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01563A1C mov eax, dword ptr fs:[00000030h]1_2_01563A1C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov ecx, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155BA00 mov eax, dword ptr fs:[00000030h]1_2_0155BA00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01558A0A mov eax, dword ptr fs:[00000030h]1_2_01558A0A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B236 mov eax, dword ptr fs:[00000030h]1_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B236 mov eax, dword ptr fs:[00000030h]1_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B236 mov eax, dword ptr fs:[00000030h]1_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B236 mov eax, dword ptr fs:[00000030h]1_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B236 mov eax, dword ptr fs:[00000030h]1_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B236 mov eax, dword ptr fs:[00000030h]1_2_0156B236
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01548239 mov eax, dword ptr fs:[00000030h]1_2_01548239
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01548239 mov eax, dword ptr fs:[00000030h]1_2_01548239
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01548239 mov eax, dword ptr fs:[00000030h]1_2_01548239
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01584A2C mov eax, dword ptr fs:[00000030h]1_2_01584A2C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01584A2C mov eax, dword ptr fs:[00000030h]1_2_01584A2C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01544A20 mov eax, dword ptr fs:[00000030h]1_2_01544A20
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01544A20 mov eax, dword ptr fs:[00000030h]1_2_01544A20
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160AA16 mov eax, dword ptr fs:[00000030h]1_2_0160AA16
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160AA16 mov eax, dword ptr fs:[00000030h]1_2_0160AA16
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156A229 mov eax, dword ptr fs:[00000030h]1_2_0156A229
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015412D4 mov eax, dword ptr fs:[00000030h]1_2_015412D4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01604AEF mov eax, dword ptr fs:[00000030h]1_2_01604AEF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545AC0 mov eax, dword ptr fs:[00000030h]1_2_01545AC0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545AC0 mov eax, dword ptr fs:[00000030h]1_2_01545AC0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01545AC0 mov eax, dword ptr fs:[00000030h]1_2_01545AC0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572ACB mov eax, dword ptr fs:[00000030h]1_2_01572ACB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01543ACA mov eax, dword ptr fs:[00000030h]1_2_01543ACA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572AE4 mov eax, dword ptr fs:[00000030h]1_2_01572AE4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618ADD mov eax, dword ptr fs:[00000030h]1_2_01618ADD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157D294 mov eax, dword ptr fs:[00000030h]1_2_0157D294
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157D294 mov eax, dword ptr fs:[00000030h]1_2_0157D294
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157DA88 mov eax, dword ptr fs:[00000030h]1_2_0157DA88
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157DA88 mov eax, dword ptr fs:[00000030h]1_2_0157DA88
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155AAB0 mov eax, dword ptr fs:[00000030h]1_2_0155AAB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155AAB0 mov eax, dword ptr fs:[00000030h]1_2_0155AAB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157FAB0 mov eax, dword ptr fs:[00000030h]1_2_0157FAB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015712BD mov esi, dword ptr fs:[00000030h]1_2_015712BD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015712BD mov eax, dword ptr fs:[00000030h]1_2_015712BD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015712BD mov eax, dword ptr fs:[00000030h]1_2_015712BD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015452A5 mov eax, dword ptr fs:[00000030h]1_2_015452A5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015452A5 mov eax, dword ptr fs:[00000030h]1_2_015452A5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015452A5 mov eax, dword ptr fs:[00000030h]1_2_015452A5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015452A5 mov eax, dword ptr fs:[00000030h]1_2_015452A5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015452A5 mov eax, dword ptr fs:[00000030h]1_2_015452A5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01541AA0 mov eax, dword ptr fs:[00000030h]1_2_01541AA0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015562A0 mov eax, dword ptr fs:[00000030h]1_2_015562A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015562A0 mov eax, dword ptr fs:[00000030h]1_2_015562A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015562A0 mov eax, dword ptr fs:[00000030h]1_2_015562A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015562A0 mov eax, dword ptr fs:[00000030h]1_2_015562A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01575AA0 mov eax, dword ptr fs:[00000030h]1_2_01575AA0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01575AA0 mov eax, dword ptr fs:[00000030h]1_2_01575AA0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160129A mov eax, dword ptr fs:[00000030h]1_2_0160129A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01567D50 mov eax, dword ptr fs:[00000030h]1_2_01567D50
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01584D51 mov eax, dword ptr fs:[00000030h]1_2_01584D51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01584D51 mov eax, dword ptr fs:[00000030h]1_2_01584D51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154354C mov eax, dword ptr fs:[00000030h]1_2_0154354C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154354C mov eax, dword ptr fs:[00000030h]1_2_0154354C
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F8D47 mov eax, dword ptr fs:[00000030h]1_2_015F8D47
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01583D43 mov eax, dword ptr fs:[00000030h]1_2_01583D43
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C3540 mov eax, dword ptr fs:[00000030h]1_2_015C3540
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F3D40 mov eax, dword ptr fs:[00000030h]1_2_015F3D40
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01568D76 mov eax, dword ptr fs:[00000030h]1_2_01568D76
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01568D76 mov eax, dword ptr fs:[00000030h]1_2_01568D76
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01568D76 mov eax, dword ptr fs:[00000030h]1_2_01568D76
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01568D76 mov eax, dword ptr fs:[00000030h]1_2_01568D76
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01568D76 mov eax, dword ptr fs:[00000030h]1_2_01568D76
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156C577 mov eax, dword ptr fs:[00000030h]1_2_0156C577
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156C577 mov eax, dword ptr fs:[00000030h]1_2_0156C577
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154751A mov eax, dword ptr fs:[00000030h]1_2_0154751A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154751A mov eax, dword ptr fs:[00000030h]1_2_0154751A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154751A mov eax, dword ptr fs:[00000030h]1_2_0154751A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154751A mov eax, dword ptr fs:[00000030h]1_2_0154751A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618D34 mov eax, dword ptr fs:[00000030h]1_2_01618D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160E539 mov eax, dword ptr fs:[00000030h]1_2_0160E539
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01553D34 mov eax, dword ptr fs:[00000030h]1_2_01553D34
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0154AD30 mov eax, dword ptr fs:[00000030h]1_2_0154AD30
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015CA537 mov eax, dword ptr fs:[00000030h]1_2_015CA537
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574D3B mov eax, dword ptr fs:[00000030h]1_2_01574D3B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574D3B mov eax, dword ptr fs:[00000030h]1_2_01574D3B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01574D3B mov eax, dword ptr fs:[00000030h]1_2_01574D3B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157F527 mov eax, dword ptr fs:[00000030h]1_2_0157F527
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157F527 mov eax, dword ptr fs:[00000030h]1_2_0157F527
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157F527 mov eax, dword ptr fs:[00000030h]1_2_0157F527
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01603518 mov eax, dword ptr fs:[00000030h]1_2_01603518
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01603518 mov eax, dword ptr fs:[00000030h]1_2_01603518
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01603518 mov eax, dword ptr fs:[00000030h]1_2_01603518
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160FDE2 mov eax, dword ptr fs:[00000030h]1_2_0160FDE2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160FDE2 mov eax, dword ptr fs:[00000030h]1_2_0160FDE2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160FDE2 mov eax, dword ptr fs:[00000030h]1_2_0160FDE2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160FDE2 mov eax, dword ptr fs:[00000030h]1_2_0160FDE2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015FFDD3 mov eax, dword ptr fs:[00000030h]1_2_015FFDD3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6DC9 mov eax, dword ptr fs:[00000030h]1_2_015C6DC9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6DC9 mov eax, dword ptr fs:[00000030h]1_2_015C6DC9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6DC9 mov eax, dword ptr fs:[00000030h]1_2_015C6DC9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6DC9 mov ecx, dword ptr fs:[00000030h]1_2_015C6DC9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6DC9 mov eax, dword ptr fs:[00000030h]1_2_015C6DC9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6DC9 mov eax, dword ptr fs:[00000030h]1_2_015C6DC9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015415C1 mov eax, dword ptr fs:[00000030h]1_2_015415C1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015495F0 mov eax, dword ptr fs:[00000030h]1_2_015495F0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015495F0 mov ecx, dword ptr fs:[00000030h]1_2_015495F0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015F8DF1 mov eax, dword ptr fs:[00000030h]1_2_015F8DF1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155D5E0 mov eax, dword ptr fs:[00000030h]1_2_0155D5E0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155D5E0 mov eax, dword ptr fs:[00000030h]1_2_0155D5E0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015795EC mov eax, dword ptr fs:[00000030h]1_2_015795EC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01543591 mov eax, dword ptr fs:[00000030h]1_2_01543591
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157FD9B mov eax, dword ptr fs:[00000030h]1_2_0157FD9B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157FD9B mov eax, dword ptr fs:[00000030h]1_2_0157FD9B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016105AC mov eax, dword ptr fs:[00000030h]1_2_016105AC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_016105AC mov eax, dword ptr fs:[00000030h]1_2_016105AC
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572581 mov eax, dword ptr fs:[00000030h]1_2_01572581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572581 mov eax, dword ptr fs:[00000030h]1_2_01572581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572581 mov eax, dword ptr fs:[00000030h]1_2_01572581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01572581 mov eax, dword ptr fs:[00000030h]1_2_01572581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01542D8A mov eax, dword ptr fs:[00000030h]1_2_01542D8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01542D8A mov eax, dword ptr fs:[00000030h]1_2_01542D8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01542D8A mov eax, dword ptr fs:[00000030h]1_2_01542D8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01542D8A mov eax, dword ptr fs:[00000030h]1_2_01542D8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01542D8A mov eax, dword ptr fs:[00000030h]1_2_01542D8A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160B581 mov eax, dword ptr fs:[00000030h]1_2_0160B581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160B581 mov eax, dword ptr fs:[00000030h]1_2_0160B581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160B581 mov eax, dword ptr fs:[00000030h]1_2_0160B581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0160B581 mov eax, dword ptr fs:[00000030h]1_2_0160B581
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01571DB5 mov eax, dword ptr fs:[00000030h]1_2_01571DB5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01571DB5 mov eax, dword ptr fs:[00000030h]1_2_01571DB5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01571DB5 mov eax, dword ptr fs:[00000030h]1_2_01571DB5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01602D82 mov eax, dword ptr fs:[00000030h]1_2_01602D82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015735A1 mov eax, dword ptr fs:[00000030h]1_2_015735A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015765A0 mov eax, dword ptr fs:[00000030h]1_2_015765A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015765A0 mov eax, dword ptr fs:[00000030h]1_2_015765A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015765A0 mov eax, dword ptr fs:[00000030h]1_2_015765A0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DC450 mov eax, dword ptr fs:[00000030h]1_2_015DC450
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015DC450 mov eax, dword ptr fs:[00000030h]1_2_015DC450
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618C75 mov eax, dword ptr fs:[00000030h]1_2_01618C75
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157A44B mov eax, dword ptr fs:[00000030h]1_2_0157A44B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156B477 mov eax, dword ptr fs:[00000030h]1_2_0156B477
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01585C70 mov eax, dword ptr fs:[00000030h]1_2_01585C70
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0157AC7B mov eax, dword ptr fs:[00000030h]1_2_0157AC7B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01618450 mov eax, dword ptr fs:[00000030h]1_2_01618450
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0156746D mov eax, dword ptr fs:[00000030h]1_2_0156746D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6C0A mov eax, dword ptr fs:[00000030h]1_2_015C6C0A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6C0A mov eax, dword ptr fs:[00000030h]1_2_015C6C0A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6C0A mov eax, dword ptr fs:[00000030h]1_2_015C6C0A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_015C6C0A mov eax, dword ptr fs:[00000030h]1_2_015C6C0A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01601C06 mov eax, dword ptr fs:[00000030h]1_2_01601C06
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B433 mov eax, dword ptr fs:[00000030h]1_2_0155B433
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B433 mov eax, dword ptr fs:[00000030h]1_2_0155B433
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0155B433 mov eax, dword ptr fs:[00000030h]1_2_0155B433
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01562430 mov eax, dword ptr fs:[00000030h]1_2_01562430
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01562430 mov eax, dword ptr fs:[00000030h]1_2_01562430
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573C3E mov eax, dword ptr fs:[00000030h]1_2_01573C3E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573C3E mov eax, dword ptr fs:[00000030h]1_2_01573C3E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_01573C3E mov eax, dword ptr fs:[00000030h]1_2_01573C3E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0161740D mov eax, dword ptr fs:[00000030h]1_2_0161740D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0161740D mov eax, dword ptr fs:[00000030h]1_2_0161740D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeCode function: 1_2_0161740D mov eax, dword ptr fs:[00000030h]1_2_0161740D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.400000.0.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection111Masquerading1OS Credential DumpingSecurity Software Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection111LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://code-projects.org/SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exefalse
      high

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:29.0.0 Ocean Jasper
      Analysis ID:255686
      Start date:01.08.2020
      Start time:23:52:15
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 4m 44s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788 (renamed file extension from 27788 to exe)
      Cookbook file name:default.jbs
      Analysis system description:w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:2
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal68.troj.evad.winEXE@3/1@0/0
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 1.2% (good quality ratio 1.2%)
      • Quality average: 89.4%
      • Quality standard deviation: 12.6%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 61
      • Number of non-executed functions: 256
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Stop behavior analysis, all processes terminated

      Simulations

      Behavior and APIs

      TimeTypeDescription
      23:53:08API Interceptor1x Sleep call for process: SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe modified

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe.log
      Process:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
      File Type:ASCII text, with CRLF line terminators
      Size (bytes):525
      Entropy (8bit):5.2874233355119316
      Encrypted:false
      MD5:61CCF53571C9ABA6511D696CB0D32E45
      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
      Malicious:true
      Reputation:low
      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.291448768554393
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      • Win32 Executable (generic) a (10002005/4) 49.75%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Windows Screen Saver (13104/52) 0.07%
      • Generic Win/DOS Executable (2004/3) 0.01%
      File name:SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
      File size:465920
      MD5:8c5fad5ff5c2c0af9ce18b5130f3d43c
      SHA1:0e2cb2a9fd256afdb2a877fa0b8fbe6c7d30c6b4
      SHA256:f11bf0f5b97161b5d27b4cbbc02fae52957df15646513874df10bc06d1d4e5df
      SHA512:c3ecee109de715fb49ca3e8fd35b598c01ff59ccaf377bfb3b2f5d8463bad6e469a89f8dd56cdae3781335a72e3eb695c7dd4f675f9f64712e97f9fea5fafed2
      SSDEEP:12288:mIXFSwN4Q3OLK2lpbd84QiCzjJLEoP+7Zld/lWbJxaid1OU+BHtCOXaqvb5nzoVp:kU+xBXxTBbN
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.............^0... ...@....@.. ....................................@................................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x47305e
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5F0414D4 [Tue Jul 7 06:23:16 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v2.0.50727
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x7300c0x4f.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x740000x5d8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x760000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x710640x71200False0.684333995166data7.30316504708IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x740000x5d80x600False0.442057291667data4.19026465818IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x760000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_VERSION0x740900x346data
      RT_MANIFEST0x743e80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Version Infos

      DescriptionData
      Translation0x0000 0x04b0
      LegalCopyrightAlles Jules (C)
      Assembly Version3.8.0.36
      InternalNameHevkl.exe
      FileVersion3.8.0.74
      CompanyNameAlles Jules
      LegalTrademarks
      CommentsCt nord
      ProductNameCarpentras
      ProductVersion3.8.0.74
      FileDescriptionCarpentras
      OriginalFilenameHevkl.exe

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:23:53:07
      Start date:01/08/2020
      Path:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe'
      Imagebase:0x40000
      File size:465920 bytes
      MD5 hash:8C5FAD5FF5C2C0AF9CE18B5130F3D43C
      Has administrator privileges:false
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000000.00000002.237359123.00000000027E1000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000000.00000002.236101752.0000000000042000.00000002.00020000.sdmp, Author: Florian Roth
      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000000.00000000.232837094.0000000000042000.00000002.00020000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238335119.000000000396B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      Reputation:low

      General

      Start time:23:53:08
      Start date:01/08/2020
      Path:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.exe
      Wow64 process (32bit):true
      Commandline:{path}
      Imagebase:0xab0000
      File size:465920 bytes
      MD5 hash:8C5FAD5FF5C2C0AF9CE18B5130F3D43C
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000002.238011323.0000000000AB2000.00000002.00020000.sdmp, Author: Florian Roth
      • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000001.00000000.235578954.0000000000AB2000.00000002.00020000.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.237981120.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >