Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Scr.Malcodegdn30.14926.25699

Overview

General Information

Sample Name:SecuriteInfo.com.Scr.Malcodegdn30.14926.25699 (renamed file extension from 25699 to exe)
Analysis ID:483813
MD5:cca4950623ac43e8be352cd121ba8261
SHA1:e4f64701acab28b77b84257ccb418811c397650f
SHA256:17b08e4418f813543e91ad18ae2e50ecfe40692d9b5dec854e94ec0abbc92b11
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.midwestamericanwoman.com/ajki/"], "decoy": ["elborivegano.com", "jacksbookbuddies.com", "gentciu.com", "lovetattoonorteguadalix.com", "dahlkar.com", "hjobjiihna.club", "narccar.com", "noexcuseadventure.com", "mortongroverealestateinfo.com", "pursuegoodtimes.com", "becomearepresentativetoday.com", "20bagger.com", "lowestprices.space", "qzgay.com", "thegoenkapost.com", "glassdooronline.com", "quantizesoftware.com", "bayleighmphotography.com", "hzmm97.com", "theexoticbox.com", "verishop.site", "meusyouunlimited.com", "hvtnywveba.club", "yffuture.com", "bandsignsandgraphics.com", "rhealending.com", "studentlegalforms.com", "fubonbank.xyz", "themuslim101.com", "gigwindow.com", "thevillaflora.com", "fontankarecords.com", "liaofeng2008.com", "emerging.global", "rutasecretas.com", "imtheonlyperson.global", "bestforcrypto.com", "adasnspa.com", "abilityhomehealthservices.com", "travelfever-reiseblog.com", "redtail.football", "teatrodomorcego.com", "myfunkyshirt.com", "volanch.com", "ophelia.company", "learniapp.com", "inspiredsoulgifts.com", "citestasdsadasdwebzai.com", "wwwrijra.com", "esensites.com", "projetmaison64.com", "dailytipsones.com", "opticseurasia.com", "muslimsinsport.com", "kissbeauties.com", "aminarzhang.com", "empirepanada.com", "nilalvesfotografia.com", "eswensai.com", "espaciomeig.com", "pos010000.com", "qireys.com", "shethrivesvirtual.com", "nailch.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.midwestamericanwoman.com/ajki/"], "decoy": ["elborivegano.com", "jacksbookbuddies.com", "gentciu.com", "lovetattoonorteguadalix.com", "dahlkar.com", "hjobjiihna.club", "narccar.com", "noexcuseadventure.com", "mortongroverealestateinfo.com", "pursuegoodtimes.com", "becomearepresentativetoday.com", "20bagger.com", "lowestprices.space", "qzgay.com", "thegoenkapost.com", "glassdooronline.com", "quantizesoftware.com", "bayleighmphotography.com", "hzmm97.com", "theexoticbox.com", "verishop.site", "meusyouunlimited.com", "hvtnywveba.club", "yffuture.com", "bandsignsandgraphics.com", "rhealending.com", "studentlegalforms.com", "fubonbank.xyz", "themuslim101.com", "gigwindow.com", "thevillaflora.com", "fontankarecords.com", "liaofeng2008.com", "emerging.global", "rutasecretas.com", "imtheonlyperson.global", "bestforcrypto.com", "adasnspa.com", "abilityhomehealthservices.com", "travelfever-reiseblog.com", "redtail.football", "teatrodomorcego.com", "myfunkyshirt.com", "volanch.com", "ophelia.company", "learniapp.com", "inspiredsoulgifts.com", "citestasdsadasdwebzai.com", "wwwrijra.com", "esensites.com", "projetmaison64.com", "dailytipsones.com", "opticseurasia.com", "muslimsinsport.com", "kissbeauties.com", "aminarzhang.com", "empirepanada.com", "nilalvesfotografia.com", "eswensai.com", "espaciomeig.com", "pos010000.com", "qireys.com", "shethrivesvirtual.com", "nailch.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeVirustotal: Detection: 22%Perma Link
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeReversingLabs: Detection: 22%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: www.midwestamericanwoman.com/ajki/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: www.midwestamericanwoman.com/ajki/Virustotal: Detection: 5%Perma Link
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 4x nop then pop ebx
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 4x nop then pop edi
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.midwestamericanwoman.com/ajki/
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.376863059.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, Form1.csLong String: Length: 38272
            Source: 0.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csLong String: Length: 38272
            Source: 0.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csLong String: Length: 38272
            Source: 1.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.0.unpack, Form1.csLong String: Length: 38272
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.1.unpack, Form1.csLong String: Length: 38272
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_00868CF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_02B7E618
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_02B7E608
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041E875
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041E027
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00401030
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D91D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041DA05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D5C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00402D90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409E40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409E3B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CFA3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00402FB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00978CF4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419D60 NtCreateFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419E10 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419E90 NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419E8B NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.378089358.0000000007420000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000000.352664339.0000000000862000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLoadConte.exeh$ vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.377933544.0000000007160000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375819716.00000000016EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000000.372794912.0000000000972000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLoadConte.exeh$ vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeBinary or memory string: OriginalFilenameLoadConte.exeh$ vs SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeVirustotal: Detection: 22%
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeReversingLabs: Detection: 22%
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.1.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000001.00000002.375218047.000000000155F000.00000040.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.860000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.970000.1.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 0_2_0086297F push 20000001h; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00417869 push 2AF2D80Eh; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_004170E3 push ecx; iretw
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00417146 push edi; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041711F pushfd ; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041720B push 0000004Bh; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00407A8D push FFFFFF88h; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041E410 push D4941EB5h; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041D5C8 push ecx; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CEB5 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CF6C push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CF02 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0041CF0B push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00417721 push edi; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_0097297F push 20000001h; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.55363015372
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe PID: 776, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe TID: 976Thread sleep time: -34999s >= -30000s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe TID: 1748Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409A90 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeThread delayed: delay time: 34999
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeThread delayed: delay time: 922337203685477
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: SecuriteInfo.com.Scr.Malcodegdn30.14926.exe, 00000000.00000002.374444260.0000000002BA2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeCode function: 1_2_00409A90 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exe VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Scr.Malcodegdn30.14926.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.SecuriteInfo.com.Scr.Malcodegdn30.14926.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.374677540.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.374827398.0000000003B99000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection111Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSSystem Information Discovery112Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.