Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.21425.740

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetectNet.01.21425.740 (renamed file extension from 740 to exe)
Analysis ID:	626308
MD5:	3da44c0f1ed72b72ccd424f5aa59d741
SHA1:	0ee6faecf98ce05e6f135d80ac354382b48eb159
SHA256:	69373d6ff7f903c56ae75d1a25800e1b161c9cfa9d5fed15eb36216937a24714
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Uses 32bit PE files

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AIDetectNet.01.21425.exe (PID: 3748 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe" MD5: 3DA44C0F1ED72B72CCD424F5AA59D741)

SecuriteInfo.com.W32.AIDetectNet.01.21425.exe (PID: 3620 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe MD5: 3DA44C0F1ED72B72CCD424F5AA59D741)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fragrantneed.com/an49/"], "decoy": ["vfmcxfjaukmccjn.com", "visualdvledtechnology.com", "webfinder.online", "anhuizuche.com", "animalmusts.com", "seaspraylux.com", "paribusproductions.com", "veterinarydoctortiny.com", "valyhags.com", "qhdlvjx.com", "bagsboutique.online", "horibest.com", "niejernen.com", "trivantages.com", "webtesterpro.com", "806425.com", "maystonecounseling.com", "xzvsadt9.com", "lyypu.icu", "emagrecasaudavel.online", "eco2earn.com", "rg74.com", "qqbolazona.net", "consensuspayment.xyz", "organicsroyalty.com", "mysam.net", "tjsgyg.com", "jia-nong.com", "abpositive.life", "citla.net", "threesixtytools.com", "emailchant.com", "usedcarsdepotus.com", "weipaotu.com", "tourmovie.com", "jejelou.net", "treeleo.com", "sydneychaandraat.com", "aurethas.com", "hd1bw6fq7yobfu.xyz", "racetherattler.com", "blightbane.com", "darion.pro", "jayzerel.com", "canzip.online", "bodakelly.com", "movedigitalmedia.com", "reamofe.xyz", "panzoism.com", "crazyjs.xyz", "hu1b7mxq5intpd.xyz", "water168.xyz", "nabirgbroom.com", "nelagarments.com", "drailsashailer.com", "youngmusiad.net", "dadhowto.com", "monolocostore.com", "nichinansemento.com", "52apollo.com", "butlerinu.xyz", "setsnshop.com", "da3a8msr4xek5w.life", "cleburnewalkinshowers.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe0728:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe09a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b4148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b43c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e1568:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e17e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xec4d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1bfef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1ed315:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xebfc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1bf9e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1ece01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xec5d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1bfff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1ed417:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xec74f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c016f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1ed58f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe13ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b4dda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1e21fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xef669:$sqlite3step: 68 34 1C 7B E1 0xef77c:$sqlite3step: 68 34 1C 7B E1 0x1c3089:$sqlite3step: 68 34 1C 7B E1 0x1c319c:$sqlite3step: 68 34 1C 7B E1 0x1f04a9:$sqlite3step: 68 34 1C 7B E1 0x1f05bc:$sqlite3step: 68 34 1C 7B E1 0xef698:$sqlite3text: 68 38 2A 90 C5 0xef7bd:$sqlite3text: 68 38 2A 90 C5 0x1c30b8:$sqlite3text: 68 38 2A 90 C5 0x1c31dd:$sqlite3text: 68 38 2A 90 C5 0x1f04d8:$sqlite3text: 68 38 2A 90 C5 0x1f05fd:$sqlite3text: 68 38 2A 90 C5 0xef6ab:$sqlite3blob: 68 53 D8 7F 8C 0xef7d3:$sqlite3blob: 68 53 D8 7F 8C 0x1c30cb:$sqlite3blob: 68 53 D8 7F 8C 0x1c31f3:$sqlite3blob: 68 53 D8 7F 8C 0x1f04eb:$sqlite3blob: 68 53 D8 7F 8C 0x1f0613:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe PID: 3748	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8e328:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8e5a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbb748:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbb9c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9a0d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xc74f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x99bc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xc6fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9a1d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xc75f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9a34f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc776f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8efba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xbc3da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x98e3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc625c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8fcb3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xbd0d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa0347:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xcd767:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa134a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9d269:$sqlite3step: 68 34 1C 7B E1 0x9d37c:$sqlite3step: 68 34 1C 7B E1 0xca689:$sqlite3step: 68 34 1C 7B E1 0xca79c:$sqlite3step: 68 34 1C 7B E1 0x9d298:$sqlite3text: 68 38 2A 90 C5 0x9d3bd:$sqlite3text: 68 38 2A 90 C5 0xca6b8:$sqlite3text: 68 38 2A 90 C5 0xca7dd:$sqlite3text: 68 38 2A 90 C5 0x9d2ab:$sqlite3blob: 68 53 D8 7F 8C 0x9d3d3:$sqlite3blob: 68 53 D8 7F 8C 0xca6cb:$sqlite3blob: 68 53 D8 7F 8C 0xca7f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x3f328:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3f5a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x112d48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x112fc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x140168:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1403e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4b0d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11eaf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14bf15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4abc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11e5e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ba01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4b1d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11ebf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14c017:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4b34f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11ed6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14c18f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x3ffba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1139da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x140dfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4e269:$sqlite3step: 68 34 1C 7B E1 0x4e37c:$sqlite3step: 68 34 1C 7B E1 0x121c89:$sqlite3step: 68 34 1C 7B E1 0x121d9c:$sqlite3step: 68 34 1C 7B E1 0x14f0a9:$sqlite3step: 68 34 1C 7B E1 0x14f1bc:$sqlite3step: 68 34 1C 7B E1 0x4e298:$sqlite3text: 68 38 2A 90 C5 0x4e3bd:$sqlite3text: 68 38 2A 90 C5 0x121cb8:$sqlite3text: 68 38 2A 90 C5 0x121ddd:$sqlite3text: 68 38 2A 90 C5 0x14f0d8:$sqlite3text: 68 38 2A 90 C5 0x14f1fd:$sqlite3text: 68 38 2A 90 C5 0x4e2ab:$sqlite3blob: 68 53 D8 7F 8C 0x4e3d3:$sqlite3blob: 68 53 D8 7F 8C 0x121ccb:$sqlite3blob: 68 53 D8 7F 8C 0x121df3:$sqlite3blob: 68 53 D8 7F 8C 0x14f0eb:$sqlite3blob: 68 53 D8 7F 8C 0x14f213:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.fragrantneed.com/an49/"], "decoy": ["vfmcxfjaukmccjn.com", "visualdvledtechnology.com", "webfinder.online", "anhuizuche.com", "animalmusts.com", "seaspraylux.com", "paribusproductions.com", "veterinarydoctortiny.com", "valyhags.com", "qhdlvjx.com", "bagsboutique.online", "horibest.com", "niejernen.com", "trivantages.com", "webtesterpro.com", "806425.com", "maystonecounseling.com", "xzvsadt9.com", "lyypu.icu", "emagrecasaudavel.online", "eco2earn.com", "rg74.com", "qqbolazona.net", "consensuspayment.xyz", "organicsroyalty.com", "mysam.net", "tjsgyg.com", "jia-nong.com", "abpositive.life", "citla.net", "threesixtytools.com", "emailchant.com", "usedcarsdepotus.com", "weipaotu.com", "tourmovie.com", "jejelou.net", "treeleo.com", "sydneychaandraat.com", "aurethas.com", "hd1bw6fq7yobfu.xyz", "racetherattler.com", "blightbane.com", "darion.pro", "jayzerel.com", "canzip.online", "bodakelly.com", "movedigitalmedia.com", "reamofe.xyz", "panzoism.com", "crazyjs.xyz", "hu1b7mxq5intpd.xyz", "water168.xyz", "nabirgbroom.com", "nelagarments.com", "drailsashailer.com", "youngmusiad.net", "dadhowto.com", "monolocostore.com", "nichinansemento.com", "52apollo.com", "butlerinu.xyz", "setsnshop.com", "da3a8msr4xek5w.life", "cleburnewalkinshowers.com"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Virustotal: Detection: 36%			Perma Link
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Joe Sandbox ML: detected

Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: CCMDiction.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source:	Binary string: CCMDiction.pdb(. source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 4x nop then pop ebx	5_2_00407B1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 4x nop then pop edi	5_2_0040E46A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 4x nop then pop edi	5_2_00417D8F

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.fragrantneed.com/an49/

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.241129650.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.241159928.00000000061E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comion?
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comoG
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237762346.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.239456169.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237595456.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237693500.000000000620E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237609920.00000000061EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comn
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250763673.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250083360.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250279492.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250915630.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250460300.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250823827.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250185943.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250231636.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250517761.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250691015.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250566257.0000000006219000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.251137378.00000000061E9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250309860.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250704397.00000000061E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.287571934.0000000007C70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000000.232227017.0000000000F84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCCMDiction.exe6 vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000000.276482809.0000000000DE4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCCMDiction.exe6 vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.283138098.0000000001AFF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278923764.0000000001631000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280915296.00000000017D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Binary or memory string: OriginalFilenameCCMDiction.exe6 vs SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_016A4358	0_2_016A4358
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_016A40A9	0_2_016A40A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_016A40B8	0_2_016A40B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_016A4348	0_2_016A4348
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_090C9CE8	0_2_090C9CE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_090C76E8	0_2_090C76E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_090C0027	0_2_090C0027
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041E03B	5_2_0041E03B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041EB41	5_2_0041EB41
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041DBDC	5_2_0041DBDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041E4F0	5_2_0041E4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041DCF3	5_2_0041DCF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00402D87	5_2_00402D87
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041D5A3	5_2_0041D5A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00409E5B	5_2_00409E5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00409E60	5_2_00409E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041DF8D	5_2_0041DF8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041E7BF	5_2_0041E7BF

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041A360 NtCreateFile,	5_2_0041A360
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041A410 NtReadFile,	5_2_0041A410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041A490 NtClose,	5_2_0041A490
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041A540 NtAllocateVirtualMemory,	5_2_0041A540
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041A4BA NtClose,	5_2_0041A4BA

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Virustotal: Detection: 36%
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	ReversingLabs: Detection: 41%

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.240010352.000000000620D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: 0s.slnt

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.log

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: CCMDiction.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source:	Binary string: CCMDiction.pdb(. source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282869497.000000000196F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000002.282332477.0000000001850000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.280338890.00000000016B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000005.00000003.278588709.000000000151B000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 0_2_090C3240 push ss; iretd	0_2_090C3241
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00417987 push eax; ret	5_2_00417989
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0040B419 push eax; ret	5_2_0040B41F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041D4B5 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041D56C push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_00417D79 pushfd ; ret	5_2_00417D8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041D502 push eax; ret	5_2_0041D508
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041D50B push eax; ret	5_2_0041D572
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041A5F7 push esp; ret	5_2_0041A5F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_004165F6 push edx; iretd	5_2_00416602
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Code function: 5_2_0041BE2B push FFFFFFC8h; retf	5_2_0041BE2D

Source: initial sample

Static PE information: section name: .text entropy: 7.74910295141

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe PID: 3748, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe TID: 4180	Thread sleep time: -45733s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe TID: 3804	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Thread delayed: delay time: 45733			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Code function: 5_2_00409AB0 rdtsc

5_2_00409AB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.453be20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.44b7400.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	112 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	36%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	41%	ReversingLabs	ByteCode-MSIL.Backdoor.Androm
SecuriteInfo.com.W32.AIDetectNet.01.21425.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.0.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
5.2.SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comoG	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
www.fragrantneed.com/an49/	0%	Avira URL Cloud	safe
http://www.fontbureau.comion?	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.fragrantneed.com/an49/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250763673.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250083360.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250279492.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250915630.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250460300.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250823827.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250185943.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250231636.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250517761.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250691015.0000000006219000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250566257.0000000006219000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.251137378.00000000061E9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250309860.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.250704397.00000000061E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comoG	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comn	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237609920.00000000061EB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ascendercorp.com/typedesigners.html	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.241129650.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.241159928.00000000061E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237762346.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.239456169.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237595456.000000000620E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.237693500.000000000620E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.286022731.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comion?	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000003.279317844.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.21425.exe, 00000000.00000002.285455437.00000000061D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626308
Start date and time: 13/05/202220:41:11	2022-05-13 20:41:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetectNet.01.21425.740 (renamed file extension from 740 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 34.1% (good quality ratio 31.9%) Quality average: 70.1% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 86% Number of executed functions: 30 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:42:26	API Interceptor	1x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.21425.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.740225558976253
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
File size:	661504
MD5:	3da44c0f1ed72b72ccd424f5aa59d741
SHA1:	0ee6faecf98ce05e6f135d80ac354382b48eb159
SHA256:	69373d6ff7f903c56ae75d1a25800e1b161c9cfa9d5fed15eb36216937a24714
SHA512:	f3490b20f09835e183bd67add45146bdf51df4cbf6caf75ed94b59a40b10d49ff5ec2eba99924e572e3f35c73a3ce846cda99aa4ab2ae60001aa8418286ceff8
SSDEEP:	12288:do2t9Mxsy63OdmqOkMsXCbXBn2vgp86r4NrFHPgsJ6NLAhlCQ9:OHxJnOcXUn2vgu6uvgA6NLKl
TLSH:	D8E4F17DF9F38E52C70826B6C0D62A1007B44E56E277E3AB2E4501E96D027DBCD4678B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b..............0.............N.... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4a2e4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627E1ED5 [Fri May 13 09:03:17 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa2e00	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x384	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa2dbb	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0e54	0xa1000	False	0.869631939053	data	7.74910295141	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x384	0x400	False	0.3701171875	data	2.85474815119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa4058	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	CCMDiction.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ResetEvent
ProductVersion	1.0.0.0
FileDescription	ResetEvent
OriginalFilename	CCMDiction.exe

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.AIDetectNet.01.21425.exePID: 3748, Parent PID: 5704

General

Target ID:	0
Start time:	20:42:12
Start date:	13/05/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe"
Imagebase:	0xee0000
File size:	661504 bytes
MD5 hash:	3DA44C0F1ED72B72CCD424F5AA59D741
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.280888479.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.283123736.0000000004416000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: SecuriteInfo.com.W32.AIDetectNet.01.21425.exePID: 3620, Parent PID: 3748

General

Target ID:	5
Start time:	20:42:33
Start date:	13/05/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe
Imagebase:	0xd40000
File size:	661504 bytes
MD5 hash:	3DA44C0F1ED72B72CCD424F5AA59D741
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.277584447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.278111506.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.AIDetectNet.01.21425.exePID: 3748, Parent PID: 5704COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	67
Total number of Limit Nodes:	4

Executed Functions

Function 016A4358 Relevance: 2.2, Strings: 1, Instructions: 989
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 016A4835

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 3246d9c677b14579b310d71e9313b748196cbc72f5eae57b7b63b8c9d0e95322
Instruction ID: ad1f255523553307b255cbde9ce1d3c472f4285ad85d7d3bbfcf801f4cde7d70
Opcode Fuzzy Hash: 3246d9c677b14579b310d71e9313b748196cbc72f5eae57b7b63b8c9d0e95322
Instruction Fuzzy Hash: EBA2C575A00228CFDB65CF69CD84A99BBB2FF89304F1581E9D509AB325DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 090C9CE8 Relevance: .6, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.288175109.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334fc05c97b3581815d4d9cc6b38226cdfed6288a7e82fc7de0b01d223ecdd3c
Instruction ID: 96f50255cd195dd665773ccc904cfbb8e82103e68dac07eca1f3b85d9a24cc28
Opcode Fuzzy Hash: 334fc05c97b3581815d4d9cc6b38226cdfed6288a7e82fc7de0b01d223ecdd3c
Instruction Fuzzy Hash: 6C32AAB0B012089FDB15DFA9C554BAEB7F6AF89700F24886DE1069B3A1CB35ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 090C76E8 Relevance: .2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.288175109.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9e16cb59b34dd7cfe483ef9c8c9a7aed831246bff821d090619480dec9fb8b
Instruction ID: 94b1cccf15a9deacb8f53fdf2d91e1e40496716184223e6541d45669dc88a44b
Opcode Fuzzy Hash: 4c9e16cb59b34dd7cfe483ef9c8c9a7aed831246bff821d090619480dec9fb8b
Instruction Fuzzy Hash: 3C9122B0E05229CFDB64CF65D884BEDB7F6AB89300F1096AA951DA7240DB745AC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 016AC430 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016AC542

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 618538e3bb7e3813d90f33f0f661cef48e55ca75d9f5eb9d2c81937282b6ccc3
Instruction ID: 03016cdd79200e63645703abbbee615a118f4977a9bb6e181f3950aef8b4b092
Opcode Fuzzy Hash: 618538e3bb7e3813d90f33f0f661cef48e55ca75d9f5eb9d2c81937282b6ccc3
Instruction Fuzzy Hash: C841CFB1D103099FDF14CF99C984ADEBBB5BF88314F64822AE819AB310D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016A6BD7 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016A6C91

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f28ab5ba2ac4e1f4174d060cef90d81e3aa546a992ff0a0a5ead9feabb23938f
Instruction ID: 635d4b431e38dd00e5d09461da8f6da20a80770d85bce0c514486c113efcff7c
Opcode Fuzzy Hash: f28ab5ba2ac4e1f4174d060cef90d81e3aa546a992ff0a0a5ead9feabb23938f
Instruction Fuzzy Hash: 7241F271C04618CFDB24DFA9C844BDEBBB1FF89308F558069D409AB250D7756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016A57D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016A6C91

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 746a1926d0227baad829095a7aa0cbe3285d3c503744cdc5e0c00499c94b8004
Instruction ID: f4376462fab949cefa4344f5b84733edfd9df6e5123d796a22710a3049aa9e9f
Opcode Fuzzy Hash: 746a1926d0227baad829095a7aa0cbe3285d3c503744cdc5e0c00499c94b8004
Instruction Fuzzy Hash: 41410271C04218CFDB24DFA9C844BDEBBB1FF88308F548469D409AB250D7756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016AE9F0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 016AEAB1

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 855c3edc386961e66fb76a0b3d8ae3f4d08e239abd6dc05fa4026e43c4ee29f8
Instruction ID: 5f4299b0a64f66f8d61616e7099e316e87f280fa0a6d86294f73cfdf1c1a57f0
Opcode Fuzzy Hash: 855c3edc386961e66fb76a0b3d8ae3f4d08e239abd6dc05fa4026e43c4ee29f8
Instruction Fuzzy Hash: 744116B4A003059FDB14CF99C888AAABBF5FF89314F14C559D919AB321D775AC41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 090C729C Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 090C91A5

Memory Dump Source

Source File: 00000000.00000002.288175109.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90c0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5bd4cfdfe1e511906bdde27e6da1ac4298edc5da5b76de84ea88db31e4b765b7
Instruction ID: 23c81f8c77eb30148bb360366e1c5fad66fb067226365b34e9b86b7ddac77a00
Opcode Fuzzy Hash: 5bd4cfdfe1e511906bdde27e6da1ac4298edc5da5b76de84ea88db31e4b765b7
Instruction Fuzzy Hash: 8711D3B58003499FDB10CF99C889BDEBBF8EB58324F548859E915A7700C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016AC678 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 016AC6D5

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1caa51041a665a0090f8b7c3d0f3eecf29168fabdf0b84df20ef223a64f896ef
Instruction ID: e1942589d86b7ebf12ad5628c2795b7d2049eaf399b02035bf87830ef4e80002
Opcode Fuzzy Hash: 1caa51041a665a0090f8b7c3d0f3eecf29168fabdf0b84df20ef223a64f896ef
Instruction Fuzzy Hash: 651100B58002489FDB10CF99C988BDFBBF8EB88324F10851AD915A7300C374A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0150D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280506353.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc239b4a03e687b69ff64ccdb5c681967da25edac181264d86b03702ec25982
Instruction ID: 0dfc7a3cdbc43476986dc3b386aeb7a3267670084ac3f2dc3f86735691e10cb5
Opcode Fuzzy Hash: 0cc239b4a03e687b69ff64ccdb5c681967da25edac181264d86b03702ec25982
Instruction Fuzzy Hash: D121D671504244DFDB06CFD4D9C4B2ABBB5FB88328F248569ED054F296C337D856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0150D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280506353.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b232fea27c2a8b0a79ee9c37e4076e8a2aa94912a9fcf6f2d62fcd3aead2c52
Instruction ID: 1b77e7e736b89ca6ff31342743e184245c6c2eb850f7d1c8aeebfb5f508ae339
Opcode Fuzzy Hash: 5b232fea27c2a8b0a79ee9c37e4076e8a2aa94912a9fcf6f2d62fcd3aead2c52
Instruction Fuzzy Hash: 092133B1504204EFCB02DFD4D9C0B6ABBB1FB84324F25C969E9094F287C376E846C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0151D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280531727.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39ee72df2dc5b22f4b46b249a5c05f21135b08bbd8de8d9544188255df2bba6
Instruction ID: 58e04b1a5d537f96d51c3e0e6a51eae6ea6d28905048ef8a1f534af2e1f0b3f6
Opcode Fuzzy Hash: d39ee72df2dc5b22f4b46b249a5c05f21135b08bbd8de8d9544188255df2bba6
Instruction Fuzzy Hash: 6C213771504200DFEB02CF94D5C8B6ABBB1FB84324F20CA6DD9194F24AC33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280531727.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8209c12b9f881da62992f7035e03d9287159dd2cdce59da3aaa0e1e17e577c59
Instruction ID: 20051786a957fc35bae42c80dffb1cf8c91772916482a4101c027a790c7e8b96
Opcode Fuzzy Hash: 8209c12b9f881da62992f7035e03d9287159dd2cdce59da3aaa0e1e17e577c59
Instruction Fuzzy Hash: 89212575504204DFEB16CF64D9C8B26BBB1FB84364F20C96DD9094F24AD33BD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280531727.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128919bb88b98c9b36c7b59eb0f42faf7387478f6ea57d6743b20a7e92e48550
Instruction ID: b4c125bf97ddc6d56cc8d1e8847f6fd3b85f6199ba163a69fe008723bbc2dcab
Opcode Fuzzy Hash: 128919bb88b98c9b36c7b59eb0f42faf7387478f6ea57d6743b20a7e92e48550
Instruction Fuzzy Hash: C9218E755093808FDB03CF24D994B15BF71FB46214F28C6EAD8498F667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0150D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280506353.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction ID: aeb727dbe101d860ed748b285f6bd824fecea609f1d2e20bdb75756f8c18fa56
Opcode Fuzzy Hash: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction Fuzzy Hash: BB11AF76504280CFCB16CF94D5C4B1ABF71FB84324F2486A9DC050B656C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280506353.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction ID: b1bf504653b56a8fdc7e822343b030504535c10c49926143f7071feb9195524e
Opcode Fuzzy Hash: 2e6e55a4ab5eb979f697d8d29e7311c2f7f882bfa19d016223f37d0021767ff8
Instruction Fuzzy Hash: 3411B176504284DFCB06CF94D9C4B5ABF72FB84320F24C6A9D8080B657C37AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0151D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280531727.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c71907b7ed15bb6a73651dcce162dc4bb009ed38cbefdc19058d3c3c88dcf41
Instruction ID: d05868b9469826f91cdaafcb199f5f36e79200e7900ce9ddea5ca1bb71cd3d71
Opcode Fuzzy Hash: 4c71907b7ed15bb6a73651dcce162dc4bb009ed38cbefdc19058d3c3c88dcf41
Instruction Fuzzy Hash: 8B11BB75904280DFDB02CF54C5C4B59BBB1FB84224F28C6A9D8594B65AC33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0150D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280506353.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3243738df055bda17e7d7b9605fdcb81f1e35dda7573d6a97c6cf28d292150a9
Instruction ID: ef47c19eca6c63b2043366bc05c6e6069bcb78691279b1844230aecef1145297
Opcode Fuzzy Hash: 3243738df055bda17e7d7b9605fdcb81f1e35dda7573d6a97c6cf28d292150a9
Instruction Fuzzy Hash: F901F7710083849AE7124EE9CD84B6AFBE8FF81278F08855AEE055E287C3799840C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280506353.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b140b15c11d13ec764cf7dbe0caa02e2c849aef65e962ed10779671083e05bf9
Instruction ID: 043f4fcbd793a467b013b02ac1080369e66f4c8b4e31bc11d98085d019206799
Opcode Fuzzy Hash: b140b15c11d13ec764cf7dbe0caa02e2c849aef65e962ed10779671083e05bf9
Instruction Fuzzy Hash: 17F062714042849AE7158E99CC84B66FFE8EB81674F18C55AED085F287C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 016A4348 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b1d08d21fecc02390dc72828b17c758c367a5357f37a4eccd08ee413b8ab72
Instruction ID: 25de67c97b160489faa5d73a7eb73cc0f30a87286591a680a7cfcf63f4c5b8a5
Opcode Fuzzy Hash: 53b1d08d21fecc02390dc72828b17c758c367a5357f37a4eccd08ee413b8ab72
Instruction Fuzzy Hash: DCC16475E006288FDB58CF6ACD84A99BBF2AF89300F54C0A9D509AB325DB305E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016A40A9 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ef6d66c7d07f46691eb7513a1cc93cb1c750c5172d2fef50759066f7aeb5c0
Instruction ID: 1f4c9c9f1810f74c1d557185d08f93182985c39d7052fc6600a52addeb2fd28f
Opcode Fuzzy Hash: 56ef6d66c7d07f46691eb7513a1cc93cb1c750c5172d2fef50759066f7aeb5c0
Instruction Fuzzy Hash: B5614B71E002098FD74ADFAAE94469ABBF3FBC8304F05C429C514AF264EB74594A9F91

Uniqueness

Uniqueness Score: -1.00%

Function 016A40B8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280707034.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82faf4c340ae37b205239a015e3a3d7c6a599d1c060d3c1589f52eba4badc392
Instruction ID: f5683e8627f913a8b999e1bcd9ca6e0c0fd9b586941b2db067c98bd6b7a6b44d
Opcode Fuzzy Hash: 82faf4c340ae37b205239a015e3a3d7c6a599d1c060d3c1589f52eba4badc392
Instruction Fuzzy Hash: EC616C71E002098FD749DFAAE544A9ABBF3FBC8304F05C439C514AF268EB7459099F91

Uniqueness

Uniqueness Score: -1.00%

Function 090C0027 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288175109.00000000090C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac16fdfe5411b787b6cf4e439dad8387b1c28641cf44c8fb96eb411350762ab
Instruction ID: eeb83b6d2cf2e226279b842c6c07d82cadfb9cca4f47aee5c0473ae2ad7deead
Opcode Fuzzy Hash: dac16fdfe5411b787b6cf4e439dad8387b1c28641cf44c8fb96eb411350762ab
Instruction Fuzzy Hash: FC412271D05B548FEB5CCF6B8C4069AFAF3AFC9201F18C1BAD40CA6265EB3415858F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.W32.AIDetectNet.01.21425.exePID: 3620, Parent PID: 3748COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	298
Total number of Limit Nodes:	29

Executed Functions

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4BA Relevance: 1.5, APIs: 1, Instructions: 44
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3270553e6907baba3d163c397d5d1d2012c54fd6dde9be7e4f8c7a0e7591ca55
Instruction ID: 82222c4eb3257125cdcdf6e87fd2f8865e389c42c2f928f8af9db81bec536a5b
Opcode Fuzzy Hash: 3270553e6907baba3d163c397d5d1d2012c54fd6dde9be7e4f8c7a0e7591ca55
Instruction Fuzzy Hash: BD0181B52001086FCB10DF98DC81DEB77A9EF88324F208559F94D97242C635E8518BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a54f
0x0041a557
0x0041a579
0x0041a57d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409abb
0x00409ac3
0x00409ac5
0x00409aca
0x00409acf
0x00409ae2
0x00409ae7
0x00409af0
0x00409afc
0x00409b0f
0x00409b14
0x00409b17
0x00409b20
0x00409b32
0x00409b37
0x00409b3c
0x00000000
0x00000000
0x00409b3e
0x00409b42
0x00000000
0x00000000
0x00409b44
0x00000000
0x00409b42
0x00409b46
0x00409b49
0x00409b4f
0x00409b51
0x00409b5c
0x00409b61
0x00409b64
0x00409b71
0x00409b7c
0x00409b7e
0x00409b84
0x00409b88
0x00409b8b
0x00409b8b
0x00409b92
0x00409b95
0x00409b9a
0x00409ba7
0x00409ad6
0x00409ad6
0x00409ad6

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed878d8682106b50380cb3f7a3660dbe535b89e10b8b11201fef7fd01b0729b
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: 4ed878d8682106b50380cb3f7a3660dbe535b89e10b8b11201fef7fd01b0729b
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 6EA
API String ID: 3298025750-1400015478
Opcode ID: 5304f99199cc5344202ee1135ec850f2f663834a0a9a72cbf6f89bf63bdf5892
Instruction ID: 16a3f995337f8e2c4385bfad51fcf563527f35bc3975e45514ceebc0da5312a6
Opcode Fuzzy Hash: 5304f99199cc5344202ee1135ec850f2f663834a0a9a72cbf6f89bf63bdf5892
Instruction Fuzzy Hash: 9BF0A9B6200208AFDB24EF59DC40EEB33A9EF88714F19814AFD0C57302D631E920CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t7 = _a4;
				E0041AF60(_t15, _t7, _t7 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x0041a633
0x0041a647
0x0041a652
0x0041a65d
0x0041a661

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A5BA(void* __eax) {
				void* _t9;
				void* _t14;
				void* _t18;

				E0041AF60(_t14, __eax, __eax + 0xc70,  *((intOrPtr*)(__eax + 0x10)), 0, 0x34);
				_t5 = _t18 + 0xc; // 0x414536
				_t9 = RtlAllocateHeap( *_t5,  *(_t18 + 0x10),  *(_t18 + 0x14)); // executed
				return _t9;
			}

0x0041a647
0x0041a652
0x0041a65d
0x0041a661

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 2669dedf1251c175eccc5353f27183fcd357daa357cf933456236a8698346c9b
Instruction ID: b574a28a350e6e547d928f58f8d8b9a1961f9701064330b7c9d819fa567d54ef
Opcode Fuzzy Hash: 2669dedf1251c175eccc5353f27183fcd357daa357cf933456236a8698346c9b
Instruction Fuzzy Hash: 60E08CB1201204ABD724DF55CC40EE7336CEF88314F258549FA0D5B281C530E822CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E0041A670(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				char _t10;
				void* _t12;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlFreeHeap(_t12); // executed
				return _t10;
			}

0x0041a67f
0x0041a687
0x0041a68f
0x0041a692
0x0041a696
0x0041a69b
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f542048db4494a127abcd3378f75cb9e90265658b028a8ff5dd88ae2c8890ad6
Instruction ID: ab52722a6b549650ed21ff3eb1bfadcd270b911449a0399e56dca95450cfa4b4
Opcode Fuzzy Hash: f542048db4494a127abcd3378f75cb9e90265658b028a8ff5dd88ae2c8890ad6
Instruction Fuzzy Hash: E0C0C03520006206C110AF19EC204F36307FBC4310318C956C0C84E200CD328C128360

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00417D8F Relevance: 4.1, Strings: 3, Instructions: 323
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00417D8F(void* __eax, void* __edi, void* __eflags, char _a4) {
				void* _v1;
				char _v5;
				short _v7;
				char _v8;
				char _v12;
				char _v13;
				short _v15;
				char _v19;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v91;
				char _v92;
				char _v155;
				char _v156;
				char _v260;
				char _v778;
				char _v780;
				char _t127;
				void* _t137;
				signed int _t142;
				intOrPtr _t157;
				intOrPtr _t200;
				char _t204;
				void* _t260;
				char _t264;
				intOrPtr _t265;
				void* _t269;
				void* _t274;
				void* _t275;
				void* _t278;

				if(__eflags <= 0) {
					asm("sbb eax, 0x8b5502c0");
					_t269 = __eax;
					_t274 = __eax - 0x308;
					_v92 = 0;
					E0041BE60( &_v91, 0, 0x3f);
					_t275 = _t274 + 0xc;
					_v20 = 0;
					_v19 = 0;
					_v15 = 0;
					_v13 = 0;
					_t264 = 0;
					__eflags = 0;
					do {
						_t127 = E0040A480(__eflags, 0x4e, 0x8d);
						_t275 = _t275 + 8;
						_t204 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t127 -  *((intOrPtr*)(_t269 + _t204 - 0x10));
							if(_t127 ==  *((intOrPtr*)(_t269 + _t204 - 0x10))) {
								goto L9;
							}
							_t204 = _t204 + 1;
							__eflags = _t204 - _t264;
							if(_t204 <= _t264) {
								continue;
							} else {
								__eflags = _t127;
								if(_t127 != 0) {
									 *((char*)(_t269 + _t264 - 0x10)) = _t127;
									_t264 = _t264 + 1;
									__eflags = _t264;
								}
							}
							goto L9;
						}
						L9:
						__eflags = _t264 - 8;
					} while (__eflags < 0);
					_v12 = 0x2e777777;
					_v8 = 0;
					_v7 = 0;
					_v5 = 0;
					_v156 = 0;
					E0041BE60( &_v155, 0, 0x3f);
					_push(E0040A480(__eflags, 2, 5) & 0x000000ff);
					_push( &_v156);
					E0041C710();
					 *((char*)(_t269 + E0041C0B0( &_v156) - 0x98)) = 0x3d;
					_push(E0040A480(__eflags, 4, 0x10) & 0x000000ff);
					_push(_t269 + E0041C0B0( &_v156) - 0x98);
					_t137 = E0041C710();
					_t24 =  &_a4; // 0x2e777777
					_t265 =  *_t24;
					_t200 = 0;
					_t278 = _t275 + 0x34;
					_v24 = 0;
					_t260 = 0;
					do {
						__eflags =  *((intOrPtr*)(_t265 + 0x1168)) - _t200;
						if( *((intOrPtr*)(_t265 + 0x1168)) != _t200) {
							E0041BE10( &_v92, 0x2e);
							_v780 = 0;
							E0041BE60( &_v778, 0, 0x206);
							E0041BE10( *((intOrPtr*)(_t265 + 0x14a4)) + _t260, 0x388);
							_t142 = E0041C3D0();
							_t32 = _t200 - 1; // -1
							 *( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x40) = _t142 * _t32 & 0x00000001;
							E0041BDE0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x87,  &_v156, E0041C0B0( &_v156));
							_t40 =  &_v12; // 0x2e777777
							E0041BDE0( &_v92, _t40, 4);
							_push(4);
							E0040AFB0(_t200, _t265, __eflags, _t265, _t269 + E0041C0B0( &_v92) - 0x58,  *(_t269 + _t200 - 0x10) & 0x000000ff);
							E0041BDE0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260,  &_v92, E0041C0B0( &_v92));
							_t157 = E0041C0B0( &_v92);
							_t202 = _t265 + 0xe90;
							_v28 = _t157;
							E0041C1E0( &_v92, _t265 + 0xe90, 0);
							E00409E20( &_v260);
							E0040AB70( &_v260,  &_v92, E0041C0B0( &_v92));
							E0040AB40( &_v260);
							E0041BDE0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x72,  &_v260, 0x14);
							 *((char*)(_t269 + _v28 - 0x58)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x4c)) = 2;
							 *((intOrPtr*)( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x50)) = 1;
							E0040B040(_t265 + 0xe90, _t265, __eflags, _t265,  &_v780, 0x41, 1);
							E0041C480( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0xc7,  &_v780);
							E0040B040(_t265 + 0xe90, _t265, __eflags, _t265,  &_v780, 0x42, 1);
							E0041C480(E0041C0B0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0xc7) +  *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0xc7,  &_v780);
							E0041C1E0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0xc7,  &_v92, 0);
							E0040B040(_t202, _t265, __eflags, _t265,  &_v780, 0x45, 1);
							E0041C480( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x167,  &_v780);
							E0040B040(_t202, _t265, __eflags, _t265,  &_v780, 0x46, 1);
							E0041C480(E0041C0B0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x167) +  *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x167,  &_v780);
							E0041C1E0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x167,  &_v92, 0);
							E0040B040(_t202, _t265, __eflags, _t265,  &_v780, 0x4a, 1);
							__eflags = E0041C0B0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x287) +  *((intOrPtr*)(_t265 + 0x14a4));
							E0041C480(E0041C0B0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x287) +  *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x287,  &_v780);
							E0041C1E0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x287,  &_v92, 0);
							_t137 = E0041C1E0( *((intOrPtr*)(_t265 + 0x14a4)) + _t260 + 0x287, _t202, 0);
							_t200 = _v24;
							_t278 = _t278 + 0x144;
						}
						_t200 = _t200 + 1;
						_t260 = _t260 + 0x388;
						_v24 = _t200;
						__eflags = _t260 - 0x1c40;
					} while (_t260 < 0x1c40);
					return _t137;
				} else {
					asm("lds ecx, [ebp+0x72f52c32]");
					_push(cs);
					asm("movsb");
					asm("lock cwde");
					asm("in eax, dx");
					_push(ds);
					asm("adc bl, [edi+ebx*8+0x646ada1]");
					asm("rcl byte [eax-0x2f36f9ca], 1");
					asm("adc [ebp-0xc457319], edi");
					asm("adc al, 0xe9");
					return 0x4c;
				}
			}

0x00417d91
0x00417dcd
0x00417dd1
0x00417dd3
0x00417de4
0x00417de8
0x00417def
0x00417df2
0x00417df6
0x00417df9
0x00417dfd
0x00417e00
0x00417e00
0x00417e02
0x00417e09
0x00417e0e
0x00417e11
0x00417e11
0x00417e13
0x00417e13
0x00417e17
0x00000000
0x00000000
0x00417e19
0x00417e1a
0x00417e1c
0x00000000
0x00417e1e
0x00417e1e
0x00417e20
0x00417e22
0x00417e26
0x00417e26
0x00417e26
0x00417e20
0x00000000
0x00417e1c
0x00417e27
0x00417e27
0x00417e27
0x00417e38
0x00417e3f
0x00417e43
0x00417e47
0x00417e4a
0x00417e50
0x00417e61
0x00417e68
0x00417e69
0x00417e7e
0x00417e91
0x00417ea8
0x00417ea9
0x00417eae
0x00417eae
0x00417eb1
0x00417eb3
0x00417eb6
0x00417eb9
0x00417ec0
0x00417ec0
0x00417ec6
0x00417ed2
0x00417ee6
0x00417eed
0x00417f00
0x00417f05
0x00417f10
0x00417f19
0x00417f3f
0x00417f46
0x00417f4e
0x00417f5b
0x00417f70
0x00417f8c
0x00417f95
0x00417f9c
0x00417fa7
0x00417faa
0x00417fb6
0x00417fd0
0x00417fdf
0x00417ff8
0x00418006
0x00418015
0x00418025
0x0041802d
0x00418047
0x00418058
0x0041808b
0x004180a4
0x004180b5
0x004180cf
0x004180e0
0x00418113
0x0041812c
0x0041813d
0x0041815f
0x00418170
0x00418189
0x0041819f
0x004181a4
0x004181a7
0x004181a7
0x004181aa
0x004181ab
0x004181b1
0x004181b4
0x004181b4
0x004181c6
0x00417d93
0x00417d93
0x00417d9b
0x00417d9c
0x00417d9d
0x00417d9f
0x00417da3
0x00417da4
0x00417dab
0x00417db6
0x00417dbc
0x00417dc9
0x00417dc9

Strings

www., xrefs: 00417EAE, 00417F6F, 00418024, 00418057, 004180B4, 004180DF, 0041813C
=, xrefs: 00417E7E
www., xrefs: 00417F46, 00417F49

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: =$www.$www.
API String ID: 0-3343787489
Opcode ID: 7be016d80460a8a1b76c5ff737973e5e2247fef4e2f4c5279ce1ea8d59ccfac8
Instruction ID: ec73b18e1ea57a5636c2ceeac009c9ed2703a4033b3d15a9dd3f4c48b9a834bc
Opcode Fuzzy Hash: 7be016d80460a8a1b76c5ff737973e5e2247fef4e2f4c5279ce1ea8d59ccfac8
Instruction Fuzzy Hash: 97C1C3B1940248AACB15DBF0CC82FDFB77CAF44308F04455EF6195A182DB78A684CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E46A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa6185e4b204748f6d1111e3a0f947dd2afa9601ad001b4350346e597027778
Instruction ID: aa74734cd191fc3582222480cab941632401a3c66f333bc62df168440cef8e3a
Opcode Fuzzy Hash: aaa6185e4b204748f6d1111e3a0f947dd2afa9601ad001b4350346e597027778
Instruction Fuzzy Hash: 96D0A923A0D61A0D66628C8AAE922B1E3A4F1C30B7BA867AF8587AB1028452D00D1189

Uniqueness

Uniqueness Score: -1.00%

Function 00407B1A Relevance: .0, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00407B1A(void* __eax, signed int __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi) {

				fs =  *__esi;
				asm("lds edx, [ebx+0x21]");
				_push(__edx);
				 *((intOrPtr*)(__edi - 0x68)) =  *((intOrPtr*)(__edi - 0x68)) - __edx;
				asm("lock push ss");
				 *(__ebx - 0x40) =  *(__ebx - 0x40) ^ __ebx;
				return 1;
			}

0x00407b1c
0x00407b1f
0x00407b22
0x00407b23
0x00407b26
0x00407b28
0x00407b3a

Memory Dump Source

Source File: 00000005.00000002.281405264.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace3b453c3df93af392c8adb35a80300f67efe43a2bfb11dc08004285853aa87
Instruction ID: c9f2826bc6164dd03ba616d094df6bafc981e8ca9453f4a739f242ce79006d04
Opcode Fuzzy Hash: ace3b453c3df93af392c8adb35a80300f67efe43a2bfb11dc08004285853aa87
Instruction Fuzzy Hash: 4FD0A71551919006DF214F29A8911E2FF74DF47210F1012CBD88467106D152C001C345

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetectNet.01.21425.740

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.21425.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.21425.740

Function 016A4358 Relevance: 2.2, Strings: 1, Instructions: 989
COMMON

Function 090C9CE8 Relevance: .6, Instructions: 633
COMMON

Function 090C76E8 Relevance: .2, Instructions: 219
COMMON

Function 016AC430 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 016A6BD7 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 016A57D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 016AE9F0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 090C729C Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Function 016AC678 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 0041A4BA Relevance: 1.5, APIs: 1, Instructions: 44
nativeCOMMON

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 00409AB0 Relevance: .1, Instructions: 92
COMMON

Function 0041A5F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
memoryCOMMON

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 0041A5BA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMON