Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Scr.Malcodegdn30.14926.25699

Overview

General Information

Sample Name:SecuriteInfo.com.Scr.Malcodegdn30.14926.25699 (renamed file extension from 25699 to exe)
Analysis ID:483813
MD5:cca4950623ac43e8be352cd121ba8261
SHA1:e4f64701acab28b77b84257ccb418811c397650f
SHA256:17b08e4418f813543e91ad18ae2e50ecfe40692d9b5dec854e94ec0abbc92b11
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.midwestamericanwoman.com/ajki/"], "decoy": ["elborivegano.com", "jacksbookbuddies.com", "gentciu.com", "lovetattoonorteguadalix.com", "dahlkar.com", "hjobjiihna.club", "narccar.com", "noexcuseadventure.com", "mortongroverealestateinfo.com", "pursuegoodtimes.com", "becomearepresentativetoday.com", "20bagger.com", "lowestprices.space", "qzgay.com", "thegoenkapost.com", "glassdooronline.com", "quantizesoftware.com", "bayleighmphotography.com", "hzmm97.com", "theexoticbox.com", "verishop.site", "meusyouunlimited.com", "hvtnywveba.club", "yffuture.com", "bandsignsandgraphics.com", "rhealending.com", "studentlegalforms.com", "fubonbank.xyz", "themuslim101.com", "gigwindow.com", "thevillaflora.com", "fontankarecords.com", "liaofeng2008.com", "emerging.global", "rutasecretas.com", "imtheonlyperson.global", "bestforcrypto.com", "adasnspa.com", "abilityhomehealthservices.com", "travelfever-reiseblog.com", "redtail.football", "teatrodomorcego.com", "myfunkyshirt.com", "volanch.com", "ophelia.company", "learniapp.com", "inspiredsoulgifts.com", "citestasdsadasdwebzai.com", "wwwrijra.com", "esensites.com", "projetmaison64.com", "dailytipsones.com", "opticseurasia.com", "muslimsinsport.com", "kissbeauties.com", "aminarzhang.com", "empirepanada.com", "nilalvesfotografia.com", "eswensai.com", "espaciomeig.com", "pos010000.com", "qireys.com", "shethrivesvirtual.com", "nailch.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.midwestamericanwoman.com/ajki/"], "decoy": ["elborivegano.com", "jacksbookbuddies.com", "gentciu.com", "lovetattoonorteguadalix.com", "dahlkar.com", "hjobjiihna.club", "narccar.com", "noexcuseadventure.com", "mortongroverealestateinfo.com", "pursuegoodtimes.com", "becomearepresentativetoday.com", "20bagger.com", "lowestprices.space", "qzgay.com", "thegoenkapost.com", "glassdooronline.com", "quantizesoftware.com", "bayleighmphotography.com", "hzmm97.com", "theexoticbox.com", "verishop.site", "meusyouunlimited.com", "hvtnywveba.club", "yffuture.com", "bandsignsandgraphics.com", "rhealending.com", "studentlegalforms.com", "fubonbank.xyz", "themuslim101.com", "gigwindow.com", "thevillaflora.com", "fontankarecords.com", "liaofeng2008.com", "emerging.global", "rutasecretas.com", "imtheonlyperson.global", "bestforcrypto.com", "adasnspa.com", "abilityhomehealthservices.com", "travelfever-reiseblog.com", "redtail.football", "teatrodomorcego.com", "myfunkyshirt.com", "volanch.com", "ophelia.company", "learniapp.com", "inspiredsoulgifts.com", "citestasdsadasdwebzai.com", "wwwrijra.com", "esensites.com", "projetmaison64.com", "dailytipsones.com", "opticseurasia.com", "muslimsinsport.com", "kissbeauties.com", "aminarzhang.com", "empirepanada.com", "nilalvesfotografia.com", "eswensai.com", "espaciomeig.com", "pos010000.com", "qireys.com", "shethrivesvirtual.com", "nailch.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeVirustotal: Detection: 22%Perma Link
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeReversingLabs: Detection: 22%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: www.midwestamericanwoman.com/ajki/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: www.midwestamericanwoman.com/ajki/Virustotal: Detection: 5%Perma Link
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 4x nop then pop ebx1_2_00407AE3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 4x nop then pop edi1_2_0040E441
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 4x nop then pop edi1_2_00417D6E

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.midwestamericanwoman.com/ajki/
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, Form1.csLong String: Length: 38272
            Source: 0.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csLong String: Length: 38272
            Source: 0.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csLong String: Length: 38272
            Source: 1.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.0.unpack, Form1.csLong String: Length: 38272
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.1.unpack, Form1.csLong String: Length: 38272
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_00868CF40_2_00868CF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_02B7E6180_2_02B7E618
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_02B7E6080_2_02B7E608
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041E8751_2_0041E875
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041E0271_2_0041E027
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_004010301_2_00401030
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D91D1_2_0041D91D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041DA051_2_0041DA05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D5C81_2_0041D5C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00402D901_2_00402D90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409E401_2_00409E40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409E3B1_2_00409E3B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D7601_2_0041D760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CFA31_2_0041CFA3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00402FB01_2_00402FB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00978CF41_2_00978CF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419E8B NtClose,1_2_00419E8B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,1_2_00419F3A
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.378089358.0000000007420000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000000.352664339.0000000000862000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLoadConte.exeh$ vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.377933544.0000000007160000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375819716.00000000016EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000000.372794912.0000000000972000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLoadConte.exeh$ vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeBinary or memory string: OriginalFilenameLoadConte.exeh$ vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeVirustotal: Detection: 22%
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeReversingLabs: Detection: 22%
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.1.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.1.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_0086297F push 20000001h; retf 0_2_00862992
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00417869 push 2AF2D80Eh; ret 1_2_0041786E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_004170E3 push ecx; iretw 1_2_004170E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00417146 push edi; ret 1_2_00417151
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041711F pushfd ; retf 1_2_00417120
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041720B push 0000004Bh; retf 1_2_0041721D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00407A8D push FFFFFF88h; ret 1_2_00407A8F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041E410 push D4941EB5h; ret 1_2_0041E42E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D5C8 push ecx; ret 1_2_0041D75D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00417721 push edi; ret 1_2_00417728
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0097297F push 20000001h; retf 1_2_00972992
            Source: initial sampleStatic PE information: section name: .text entropy: 7.55363015372
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe PID: 776, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe TID: 976Thread sleep time: -34999s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe TID: 1748Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeThread delayed: delay time: 34999Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara match