Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.30092

Overview

General Information

Sample Name:SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.30092 (renamed file extension from 30092 to exe)
Analysis ID:635347
MD5:f5be926b8353b200b0d078b6bdbb2409
SHA1:082c34d23a644ed820470c67e7ab3ba47c3929e3
SHA256:e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe" MD5: F5BE926B8353B200B0D078B6BDBB2409)
    • powershell.exe (PID: 6456 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5988 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jndOnPqDCz" /XML "C:\Users\user\AppData\Local\Temp\tmp127A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 list": ["www.satoshika1966.com/oi25/"], "decoy": ["lawyers-tools-kit.com", "9fjca.com", "insurancewebforms.com", "trippinapetrlbe.xyz", "insurancebiography.com", "zb-yufeng.com", "5cidercircle.com", "sixthfleet.site", "jumple.net", "news-polygraph.com", "foresthillswoodworks.com", "matiagro.com", "lyndalloyd.com", "dianashairbraiding.com", "growmediaceylon.com", "sansinterprise.com", "bestonlinetravelsdeals.com", "eleganceresidences.site", "webstooge.com", "3pot.top", "remarksless.com", "herefun.xyz", "alekessentials.com", "nailsdonebypatty.com", "futureflipinternational.com", "globalmaintenancellc.com", "stakemyday.host", "spiritualitywithmartamaria.com", "convergeintl.com", "caminataporlaafasia.com", "azino777-kazinos563.win", "speedieb.com", "sjrz.net", "alternativewellnessspa.com", "xn--nachhilfe-zrich-9vb.net", "mytexdijital.com", "licabolodoces.com", "wydguardian.com", "sophiacarlisle.com", "circle-design.com", "varda-art-bazaar.com", "ananyashop.com", "0851yoga.com", "notveecon.xyz", "brainbasedeating.com", "sarsenet.com", "esiona.online", "tryaircrew.com", "bjguogai.com", "0086021.xyz", "serifcuvak.com", "walmart-tr.xyz", "eternal-lagoon.com", "elohimhealthandwellness.com", "startingover50plus.com", "wkiueatew.com", "jackbriody.com", "whmdkc.com", "xn--o9j5f5c2dse834zo8xashq.com", "energize2022.com", "jazz-brewery.com", "gancolombia.com", "marconbuildersltd.com", "gamingtechexperts.com"]}
SourceRuleDescriptionAuthorStrings
00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x42658:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x428d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x70c78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x70ef2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9e298:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9e512:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x4e405:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x7ca25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xaa045:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4def1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x7c511:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xa9b31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x4e507:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x7cb27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xaa147:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x4e67f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x7cc9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xaa2bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x432ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x7190a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x9ef2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      Click to see the 10 entries
      SourceRuleDescriptionAuthorStrings
      6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.satoshika1966.com/oi25/"], "decoy": ["lawyers-tools-kit.com", "9fjca.com", "insurancewebforms.com", "trippinapetrlbe.xyz", "insurancebiography.com", "zb-yufeng.com", "5cidercircle.com", "sixthfleet.site", "jumple.net", "news-polygraph.com", "foresthillswoodworks.com", "matiagro.com", "lyndalloyd.com", "dianashairbraiding.com", "growmediaceylon.com", "sansinterprise.com", "bestonlinetravelsdeals.com", "eleganceresidences.site", "webstooge.com", "3pot.top", "remarksless.com", "herefun.xyz", "alekessentials.com", "nailsdonebypatty.com", "futureflipinternational.com", "globalmaintenancellc.com", "stakemyday.host", "spiritualitywithmartamaria.com", "convergeintl.com", "caminataporlaafasia.com", "azino777-kazinos563.win", "speedieb.com", "sjrz.net", "alternativewellnessspa.com", "xn--nachhilfe-zrich-9vb.net", "mytexdijital.com", "licabolodoces.com", "wydguardian.com", "sophiacarlisle.com", "circle-design.com", "varda-art-bazaar.com", "ananyashop.com", "0851yoga.com", "notveecon.xyz", "brainbasedeating.com", "sarsenet.com", "esiona.online", "tryaircrew.com", "bjguogai.com", "0086021.xyz", "serifcuvak.com", "walmart-tr.xyz", "eternal-lagoon.com", "elohimhealthandwellness.com", "startingover50plus.com", "wkiueatew.com", "jackbriody.com", "whmdkc.com", "xn--o9j5f5c2dse834zo8xashq.com", "energize2022.com", "jazz-brewery.com", "gancolombia.com", "marconbuildersltd.com", "gamingtechexperts.com"]}
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\jndOnPqDCz.exeJoe Sandbox ML: detected
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: UCOMIRefl.pdb source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, jndOnPqDCz.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487861193.000000000119F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.485223288.0000000000EE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.482521054.0000000000D47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487506736.0000000001080000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487861193.000000000119F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.485223288.0000000000EE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.482521054.0000000000D47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487506736.0000000001080000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: UCOMIRefl.pdbh source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, jndOnPqDCz.exe.0.dr
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 4x nop then pop esi6_2_004172DF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 4x nop then pop edi6_2_0040E461
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 4x nop then pop edi6_2_00416CE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 4x nop then pop edi6_2_00417DB3

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.satoshika1966.com/oi25/
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.440298343.00000000058F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.440111545.00000000058F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlp
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442287402.00000000058F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442287402.00000000058F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442429609.00000000058F3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442570461.00000000058F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frer:
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486578332.0000000001097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueoQ
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435142223.000000000590B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435211213.000000000590B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435103153.000000000590B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435361684.000000000590B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437707039.00000000058FE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437360666.00000000058FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437707039.00000000058FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/K
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437360666.00000000058FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn=n
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.443791485.00000000058F4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.443550368.00000000058F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437795767.00000000058F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comD
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437795767.00000000058F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comfc
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442785550.00000000058F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deMT
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.7490000.10.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.7490000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3c67358.7.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3c67358.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.2ad4968.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.491584265.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.7490000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.7490000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3c67358.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3c67358.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.2ad4968.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.491584265.0000000007490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_005B476D0_2_005B476D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_00D86E580_2_00D86E58
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_00D86E480_2_00D86E48
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_00D870F80_2_00D870F8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_00D870E70_2_00D870E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_04EB61800_2_04EB6180
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_04EB61900_2_04EB6190
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 0_2_04EB4DB00_2_04EB4DB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041D8196_2_0041D819
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0040102F6_2_0040102F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041E8C26_2_0041E8C2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041EC436_2_0041EC43
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00409E5B6_2_00409E5B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00409E606_2_00409E60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041DF8D6_2_0041DF8D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0054476D6_2_0054476D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,6_2_0041A540
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A35A NtCreateFile,6_2_0041A35A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A40A NtReadFile,6_2_0041A40A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A48A NtClose,6_2_0041A48A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041A53A NtAllocateVirtualMemory,6_2_0041A53A
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.487898059.0000000003C53000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000000.425908567.000000000066E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUCOMIRefl.exe" vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491584265.0000000007490000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000000.479809596.00000000005FE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUCOMIRefl.exe" vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.489446353.000000000132F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487861193.000000000119F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.485986749.0000000001004000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.482974921.0000000000E5D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeBinary or memory string: OriginalFilenameUCOMIRefl.exe" vs SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: jndOnPqDCz.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeJump to behavior
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jndOnPqDCz" /XML "C:\Users\user\AppData\Local\Temp\tmp127A.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jndOnPqDCz" /XML "C:\Users\user\AppData\Local\Temp\tmp127A.tmpJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeFile created: C:\Users\user\AppData\Roaming\jndOnPqDCz.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeFile created: C:\Users\user\AppData\Local\Temp\tmp127A.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/8@0/0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.5b0000.0.unpack, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.5b0000.0.unpack, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.540000.7.unpack, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.540000.7.unpack, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.540000.1.unpack, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.540000.1.unpack, CM/OC.csCryptographic APIs: 'CreateDecryptor'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: UCOMIRefl.pdb source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, jndOnPqDCz.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487861193.000000000119F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.485223288.0000000000EE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.482521054.0000000000D47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487506736.0000000001080000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487861193.000000000119F000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.485223288.0000000000EE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000003.482521054.0000000000D47000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000006.00000002.487506736.0000000001080000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: UCOMIRefl.pdbh source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, jndOnPqDCz.exe.0.dr

          Data Obfuscation

          barindex
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, CM/OC.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.5b0000.0.unpack, CM/OC.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.540000.7.unpack, CM/OC.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.540000.1.unpack, CM/OC.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00417200 push eax; iretd 6_2_00417207
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041D56C push eax; ret 6_2_0041D572
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041D502 push eax; ret 6_2_0041D508
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_0041D50B push eax; ret 6_2_0041D572
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00416655 push cs; retf 6_2_0041666C
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7430802552
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7430802552
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeFile created: C:\Users\user\AppData\Roaming\jndOnPqDCz.exeJump to dropped file

          Boot Survival

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jndOnPqDCz" /XML "C:\Users\user\AppData\Local\Temp\tmp127A.tmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.2ad4968.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe PID: 6980, type: MEMORYSTR
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe TID: 6984Thread sleep time: -43731s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5984Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4351Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1723Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeThread delayed: delay time: 43731Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486179414.0000000000CE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0x
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jndOnPqDCz" /XML "C:\Users\user\AppData\Local\Temp\tmp127A.tmpJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.3a49930.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Scheduled Task/Job
          1
          Scheduled Task/Job
          111
          Process Injection
          1
          Masquerading
          OS Credential Dumping1
          Query Registry
          Remote Services11
          Archive Collected Data
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Scheduled Task/Job
          11
          Disable or Modify Tools
          LSASS Memory221
          Security Software Discovery
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Application Layer Protocol
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager1
          Process Discovery
          SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
          Process Injection
          NTDS31
          Virtualization/Sandbox Evasion
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets1
          Application Window Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information
          Cached Domain Credentials1
          File and Directory Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing
          DCSync112
          System Information Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\jndOnPqDCz.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLinkDownload
          6.2.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://www.fonts.comc0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/K0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.tiro.comfc0%Avira URL Cloudsafe
          http://www.urwpp.deMT0%Avira URL Cloudsafe
          http://www.tiro.comD0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.fontbureau.comueoQ0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.htmlp0%Avira URL Cloudsafe
          http://www.monotype.0%URL Reputationsafe
          http://www.founder.com.cn/cn=n0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          www.satoshika1966.com/oi25/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          www.satoshika1966.com/oi25/true
          • Avira URL Cloud: safe
          low
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.fontbureau.comSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.fontbureau.com/designersGSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.fontbureau.com/designers/?SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.fonts.comcSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435103153.000000000590B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frer:SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442287402.00000000058F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442429609.00000000058F3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442570461.00000000058F3000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.com/designers?SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/KSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437707039.00000000058FE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.tiro.comSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designersSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.goodfont.co.krSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.tiro.comfcSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437795767.00000000058F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.urwpp.deMTSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442785550.00000000058F4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiro.comDSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437795767.00000000058F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.carterandcone.comlSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comueoQSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486578332.0000000001097000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.sajatypeworks.comSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.typography.netDSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.443791485.00000000058F4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://fontfabrik.comSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cnSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437707039.00000000058FE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437360666.00000000058FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.com/designers/cabarga.htmlSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.442287402.00000000058F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.ascendercorp.com/typedesigners.htmlpSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.440298343.00000000058F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.440111545.00000000058F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.monotype.SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.443550368.00000000058F5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn=nSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.437360666.00000000058FD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fonts.comnSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435361684.000000000590B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers8SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fonts.comSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435142223.000000000590B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000003.435211213.000000000590B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.sandoll.co.krSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.urwpp.deDPleaseSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.zhongyicts.com.cnSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.sakkal.comSecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe, 00000000.00000002.491051570.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    No contacted IP infos
                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:635347
                                    Start date and time: 27/05/202219:40:322022-05-27 19:40:32 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 11s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.30092 (renamed file extension from 30092 to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@9/8@0/0
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 24.2% (good quality ratio 22.7%)
                                    • Quality average: 70%
                                    • Quality standard deviation: 30.7%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 26
                                    • Number of non-executed functions: 12
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    TimeTypeDescription
                                    19:41:55API Interceptor1x Sleep call for process: SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe modified
                                    19:42:06API Interceptor35x Sleep call for process: powershell.exe modified
                                    No context
                                    No context
                                    No context
                                    No context
                                    No context
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):1308
                                    Entropy (8bit):5.345811588615766
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):22188
                                    Entropy (8bit):5.601649796735967
                                    Encrypted:false
                                    SSDEEP:384:9tCDLqcc5Z1wWSN7CSYS0ngjultIA47nv3g3hInAML+6fmAV7aWDdOZQvnI+++g:H5gWYWTgClt7c667KepWp+g
                                    MD5:0DF2852803B88D3A7C83277BBC4EE319
                                    SHA1:72AB7A514B643728A5E9CC555C3B47A0E01B77B1
                                    SHA-256:E3CE18F0CCE672E8CDEEB077BC202FE1DA48CD86F0C44518E7B4F2D657369C71
                                    SHA-512:731C6ED1B0B227917BA834233830EDB62E9D1CE77B1B24A5DA2C83C31D89BD51D64A000D82787D3A6DFF3EC22C3A061F1177C393DF747A7DEC5EA0485F0221B6
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e...........d.......K.7...........X...*..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1601
                                    Entropy (8bit):5.135759873609857
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT/v
                                    MD5:CD89408FF92E1E9E12850EBF1C6F344C
                                    SHA1:8353B8DBCE3B8E7628F3CB83A10684041283DB1D
                                    SHA-256:A07AFEF1B4ABE13D4FFE7DD1E4701B00D82178961EDB04B10F44DB61DD833E94
                                    SHA-512:D888D0C215B6E90DF4F163EFC9C2470EC6C4E4204B27DE4A683A347A915F026DA6181246DA71DD93C7588F5EA9B3B4B541697B48F7D838CDE9F82791078E80FD
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):787968
                                    Entropy (8bit):7.744917884710675
                                    Encrypted:false
                                    SSDEEP:12288:X9T+WDarHZNZS+r30hma4ubokv2LrEeGJNI6fWx4VWZo9twO0zEuqD:XZRGZdkhmMbok+LQVIQZUeCwF
                                    MD5:F5BE926B8353B200B0D078B6BDBB2409
                                    SHA1:082C34D23A644ED820470C67E7AB3BA47C3929E3
                                    SHA-256:E4769E3E2B77ECAF145799BBD14FC3EBE7B7032F12F34807C59F59CEE8EB063D
                                    SHA-512:5FCE70A347883DFC94A2855C5C65AA578AA73C3732FEAC539C6306353D5BF8CC44BEB383C713955BAF88F7A5E5B6D7567783D10C4E887B3F026BC00EF64C57B0
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y.b..............0......Z........... ........@.. .......................`............@.................................@...K........W...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....W.......X..................@..@.reloc.......@......................@..B................p.......H.......,(...{.............7#...........................................0../.......(....8.....(....8....*.....%..}......}....8......0............{.........8....8....8......*...0..~.......88.......E........8.....8....8.....*...}....8......9....8........8.......{....:.....8.....{....}.... ....(....9....& ....8.......0..........8......*..(......8....8....8......(......8......&~.......*...~....*..(....8......}....8.....(....8.....*...(....8.......N..o....(....&8....*.0..........
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):5799
                                    Entropy (8bit):5.396460917709077
                                    Encrypted:false
                                    SSDEEP:96:BZ2B/wNWqDo1ZwWZs/wNWqDo1Z6G0OjZ3/wNWqDo1ZWveeQZK:0
                                    MD5:29B9E05A61294F6C8C93B962D390EFD8
                                    SHA1:60FFD9FEF6B98DAE5BEFD477DB8390A034F10CEF
                                    SHA-256:5057D27C703EC4D7C994377BA242681836D9B1BAC3393277C6579FCD8B0BA99D
                                    SHA-512:908989D3FE0A41A1C5C59C1A90D4499F4F23C730961FC7778149914259F687BF00F86F6C84C838FA2E322A93CD3A58EFD0C43488D7475F821DA97D0514FFBD5D
                                    Malicious:false
                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527194206..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 045012 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\jndOnPqDCz.exe..Process ID: 6456..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220527194206..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\jndOnPqDCz.exe..**********************..Windows PowerShell transcript start..Start time: 20220527194547..Username: computer\user..RunAs User: computer
                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.744917884710675
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    File size:787968
                                    MD5:f5be926b8353b200b0d078b6bdbb2409
                                    SHA1:082c34d23a644ed820470c67e7ab3ba47c3929e3
                                    SHA256:e4769e3e2b77ecaf145799bbd14fc3ebe7b7032f12f34807c59f59cee8eb063d
                                    SHA512:5fce70a347883dfc94a2855c5c65aa578aa73c3732feac539c6306353d5bf8cc44beb383c713955baf88f7a5e5b6d7567783d10c4e887b3f026bc00ef64c57b0
                                    SSDEEP:12288:X9T+WDarHZNZS+r30hma4ubokv2LrEeGJNI6fWx4VWZo9twO0zEuqD:XZRGZdkhmMbok+LQVIQZUeCwF
                                    TLSH:D9F4DF3972A6AE23C1A843B4C0D7A41803F565479132D7C7BFC729C62A867E64DCDB87
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y..b..............0......Z........... ........@.. .......................`............@................................
                                    Icon Hash:4462f276dcec30e6
                                    Entrypoint:0x4bc98e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x6290E459 [Fri May 27 14:46:49 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc9400x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x57b0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xbc8fb0x1c.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xba9940xbaa00False0.882103461989data7.7430802552IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xbe0000x57b00x5800False0.964710582386data7.8903360112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xc40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0xbe1300x51a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                    RT_GROUP_ICON0xc32d40x14data
                                    RT_VERSION0xc32e80x2dcdata
                                    RT_MANIFEST0xc35c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                    DLLImport
                                    mscoree.dll_CorExeMain
                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyright
                                    Assembly Version1.0.0.0
                                    InternalNameUCOMIRefl.exe
                                    FileVersion1.0.0.0
                                    CompanyName
                                    LegalTrademarks
                                    Comments
                                    ProductName
                                    ProductVersion1.0.0.0
                                    FileDescription
                                    OriginalFilenameUCOMIRefl.exe
                                    No network behavior found

                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:19:41:43
                                    Start date:27/05/2022
                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe"
                                    Imagebase:0x5b0000
                                    File size:787968 bytes
                                    MD5 hash:F5BE926B8353B200B0D078B6BDBB2409
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.487282650.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.486729081.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.491584265.0000000007490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low

                                    Target ID:2
                                    Start time:19:42:03
                                    Start date:27/05/2022
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jndOnPqDCz.exe
                                    Imagebase:0x950000
                                    File size:430592 bytes
                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    Target ID:3
                                    Start time:19:42:03
                                    Start date:27/05/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff77f440000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Target ID:4
                                    Start time:19:42:04
                                    Start date:27/05/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jndOnPqDCz" /XML "C:\Users\user\AppData\Local\Temp\tmp127A.tmp
                                    Imagebase:0xf70000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Target ID:5
                                    Start time:19:42:06
                                    Start date:27/05/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff77f440000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Target ID:6
                                    Start time:19:42:07
                                    Start date:27/05/2022
                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Heur.MSIL.Bladabindi.1.11302.exe
                                    Imagebase:0x540000
                                    File size:787968 bytes
                                    MD5 hash:F5BE926B8353B200B0D078B6BDBB2409
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.481993204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.481552223.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:9.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:134
                                      Total number of Limit Nodes:6
                                      execution_graph 20827 4ebde88 20828 4ebde9b 20827->20828 20830 d8e188 20827->20830 20831 d8e193 20830->20831 20832 d8effe 20831->20832 20835 4ebe5f0 20831->20835 20838 4ebe600 20831->20838 20832->20828 20841 4eb13c8 20835->20841 20837 4ebe60e 20837->20832 20839 4eb13c8 2 API calls 20838->20839 20840 4ebe60e 20838->20840 20839->20840 20840->20832 20847 4eb15a8 20841->20847 20843 4eb13eb 20843->20837 20848 4eb15ea 20847->20848 20849 4eb15f0 GetModuleHandleW 20847->20849 20848->20849 20850 4eb13db 20849->20850 20850->20843 20851 4eb1650 20850->20851 20855 4eb1640 20850->20855 20853 4eb1664 20851->20853 20852 4eb1689 20852->20843 20853->20852 20859 4eb1070 20853->20859 20856 4eb1650 20855->20856 20857 4eb1689 20856->20857 20858 4eb1070 LoadLibraryExW 20856->20858 20857->20843 20858->20857 20860 4eb1830 LoadLibraryExW 20859->20860 20862 4eb18a9 20860->20862 20862->20852 20863 4ebe988 20864 4ebe9e1 20863->20864 20865 4ebea1a 20864->20865 20866 d8e188 2 API calls 20864->20866 20866->20865 20867 4eb7f68 SetWindowLongW 20868 4eb7fd4 20867->20868 20978 4eb38d8 DuplicateHandle 20979 4eb396e 20978->20979 20980 4eb7918 20981 4eb7980 CreateWindowExW 20980->20981 20983 4eb7a3c 20981->20983 20983->20983 20869 d84450 20870 d8446d 20869->20870 20871 d8447a 20870->20871 20875 d845b9 20870->20875 20880 d83c28 20871->20880 20873 d844b2 20876 d845dd 20875->20876 20884 d846b8 20876->20884 20888 d846a8 20876->20888 20881 d83c33 20880->20881 20896 d8db8c 20881->20896 20883 d8e4d9 20883->20873 20886 d846df 20884->20886 20885 d847bc 20885->20885 20886->20885 20892 d84238 20886->20892 20890 d846b8 20888->20890 20889 d847bc 20889->20889 20890->20889 20891 d84238 CreateActCtxA 20890->20891 20891->20889 20893 d85748 CreateActCtxA 20892->20893 20895 d8580b 20893->20895 20897 d8db97 20896->20897 20900 d8dbac 20897->20900 20899 d8e70d 20899->20883 20901 d8dbb7 20900->20901 20904 d8dbdc 20901->20904 20903 d8e7e2 20903->20899 20905 d8dbe7 20904->20905 20906 d8e188 2 API calls 20905->20906 20907 d8e8e2 20906->20907 20907->20903 20908 4eb3e80 20910 4eb3ea8 20908->20910 20909 4eb3ed0 20910->20909 20912 4eb3424 20910->20912 20913 4eb342f 20912->20913 20917 4eb5cc8 20913->20917 20922 4eb5cb0 20913->20922 20914 4eb3f78 20914->20909 20918 4eb5cf9 20917->20918 20920 4eb5d45 20917->20920 20919 4eb5d05 20918->20919 20926 4eb6148 20918->20926 20919->20914 20920->20914 20923 4eb5cc8 20922->20923 20924 4eb5d05 20923->20924 20925 4eb6148 2 API calls 20923->20925 20924->20914 20925->20924 20927 4eb13c8 2 API calls 20926->20927 20928 4eb6151 20927->20928 20928->20920 20984 4eb12d0 20986 4eb13c8 2 API calls 20984->20986 20985 4eb12df 20986->20985 20987 4eb36b0 GetCurrentProcess 20988 4eb372a GetCurrentThread 20987->20988 20989 4eb3723 20987->20989 20990 4eb3760 20988->20990 20991 4eb3767 GetCurrentProcess 20988->20991 20989->20988 20990->20991 20994 4eb379d 20991->20994 20992 4eb37c5 GetCurrentThreadId 20993 4eb37f6 20992->20993 20994->20992 20929 d3d01c 20930 d3d034 20929->20930 20931 d3d08e 20930->20931 20935 4eb8bc9 20930->20935 20943 4eb7ac4 20930->20943 20951 4eb7ed8 20930->20951 20938 4eb8c05 20935->20938 20936 4eb8c39 20940 4eb8c37 20936->20940 20965 4eb7bec 20936->20965 20938->20936 20939 4eb8c29 20938->20939 20955 4eb8d60 20939->20955 20960 4eb8d50 20939->20960 20944 4eb7acf 20943->20944 20945 4eb8c39 20944->20945 20947 4eb8c29 20944->20947 20946 4eb7bec CallWindowProcW 20945->20946 20948 4eb8c37 20945->20948 20946->20948 20949 4eb8d60 CallWindowProcW 20947->20949 20950 4eb8d50 CallWindowProcW 20947->20950 20949->20948 20950->20948 20952 4eb7efe 20951->20952 20953 4eb7ac4 CallWindowProcW 20952->20953 20954 4eb7f1f 20953->20954 20954->20931 20957 4eb8d74 20955->20957 20956 4eb8e00 20956->20940 20969 4eb8e08 20957->20969 20972 4eb8e18 20957->20972 20961 4eb8d74 20960->20961 20963 4eb8e08 CallWindowProcW 20961->20963 20964 4eb8e18 CallWindowProcW 20961->20964 20962 4eb8e00 20962->20940 20963->20962 20964->20962 20966 4eb7bf7 20965->20966 20967 4eba37a CallWindowProcW 20966->20967 20968 4eba329 20966->20968 20967->20968 20968->20940 20970 4eb8e29 20969->20970 20975 4eba2b1 20969->20975 20970->20956 20973 4eb8e29 20972->20973 20974 4eba2b1 CallWindowProcW 20972->20974 20973->20956 20974->20973 20976 4eb7bec CallWindowProcW 20975->20976 20977 4eba2ca 20976->20977 20977->20970

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 04EB3710
                                      • GetCurrentThread.KERNEL32 ref: 04EB374D
                                      • GetCurrentProcess.KERNEL32 ref: 04EB378A
                                      • GetCurrentThreadId.KERNEL32 ref: 04EB37E3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: bb358e5513a1e884a3fe734b5fc0b79b20f07cba32c83556d7951b5f6d2f9dc9
                                      • Instruction ID: d50e6223e9206890fa03ac3d5a3f4e217f2c90c432e265a7bd33635edce1f7a2
                                      • Opcode Fuzzy Hash: bb358e5513a1e884a3fe734b5fc0b79b20f07cba32c83556d7951b5f6d2f9dc9
                                      • Instruction Fuzzy Hash: C55176B09007498FDB14DFA9D589BDEBBF4FF88318F24841AE489A3350C775A844CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 427 4eb7918-4eb797e 428 4eb7989-4eb7990 427->428 429 4eb7980-4eb7986 427->429 430 4eb799b-4eb7a3a CreateWindowExW 428->430 431 4eb7992-4eb7998 428->431 429->428 433 4eb7a3c-4eb7a42 430->433 434 4eb7a43-4eb7a7b 430->434 431->430 433->434 438 4eb7a88 434->438 439 4eb7a7d-4eb7a80 434->439 440 4eb7a89 438->440 439->438 440->440
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04EB7A2A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 79355c9b059e77c0ebc5dd837b342ec4002234fbda8e9e01287cacbe6793bcc3
                                      • Instruction ID: 65a3d8c25e5f4130cd062fdb72a9eb4ea873efdd8e0cf9b0bb27066d40489737
                                      • Opcode Fuzzy Hash: 79355c9b059e77c0ebc5dd837b342ec4002234fbda8e9e01287cacbe6793bcc3
                                      • Instruction Fuzzy Hash: DB41BEB1D003099FDB14CFAAC884ADEBBB5BF88314F25852AE419AB210D775A945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 441 d8573d-d85746 442 d85748-d85809 CreateActCtxA 441->442 444 d8580b-d85811 442->444 445 d85812-d8586c 442->445 444->445 452 d8587b-d8587f 445->452 453 d8586e-d85871 445->453 454 d85890 452->454 455 d85881-d8588d 452->455 453->452 457 d85891 454->457 455->454 457->457
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00D857F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486342034.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d80000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 07cf41af16e4cd86d11364c6a5c646ed43a5f37879603a37f85a1bf1a7792fe5
                                      • Instruction ID: 58d2212feffe8a2236a7f5fa83296962594d284c8656f2fefe9a71da12425732
                                      • Opcode Fuzzy Hash: 07cf41af16e4cd86d11364c6a5c646ed43a5f37879603a37f85a1bf1a7792fe5
                                      • Instruction Fuzzy Hash: 1641E270C00718CFDB24DFA9C884BDEBBB9BF48304F24856AD549AB255DB71594ACFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 458 4eb7bec-4eba31c 461 4eba3cc-4eba3ec call 4eb7ac4 458->461 462 4eba322-4eba327 458->462 469 4eba3ef-4eba3fc 461->469 463 4eba37a-4eba3b2 CallWindowProcW 462->463 464 4eba329-4eba360 462->464 466 4eba3bb-4eba3ca 463->466 467 4eba3b4-4eba3ba 463->467 472 4eba369-4eba378 464->472 473 4eba362-4eba368 464->473 466->469 467->466 472->469 473->472
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04EBA3A1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: 1fbbdb3f94ff328a918ba77246da22a301103f87faea963237a43c79b8c4421c
                                      • Instruction ID: 471d5d5176dc68b7617953a5d38b9e160b9a817baf4eb04e912caad8aeedbfc7
                                      • Opcode Fuzzy Hash: 1fbbdb3f94ff328a918ba77246da22a301103f87faea963237a43c79b8c4421c
                                      • Instruction Fuzzy Hash: 394128B4A00705CFCB14CF99C488AAFBBF5FB88314F288459E559A7321D375A845CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 475 d84238-d85809 CreateActCtxA 478 d8580b-d85811 475->478 479 d85812-d8586c 475->479 478->479 486 d8587b-d8587f 479->486 487 d8586e-d85871 479->487 488 d85890 486->488 489 d85881-d8588d 486->489 487->486 491 d85891 488->491 489->488 491->491
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00D857F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486342034.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d80000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 7696022ab57453e0c42ad6b377313b6f0b951449cdca53d82aafe4d6827951ec
                                      • Instruction ID: b3fc75bdb9507272c66455d19a42972afd94f36d3eace97c32137c926f7a474f
                                      • Opcode Fuzzy Hash: 7696022ab57453e0c42ad6b377313b6f0b951449cdca53d82aafe4d6827951ec
                                      • Instruction Fuzzy Hash: 5041E270C00618CBDB24DFA9C844BDEBBF5BF48304F24856AD549AB255DB71594ACF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 492 4eb38d0-4eb396c DuplicateHandle 493 4eb396e-4eb3974 492->493 494 4eb3975-4eb3992 492->494 493->494
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EB395F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: fe352f9fed131c4f51c1bd72895cfc09f87f12ff889c5a285372e699afef8bea
                                      • Instruction ID: c3215dfe480e8bcc6a547e2c06ff0870c8584c96ed9cc1a32cae15e3e8fdbe53
                                      • Opcode Fuzzy Hash: fe352f9fed131c4f51c1bd72895cfc09f87f12ff889c5a285372e699afef8bea
                                      • Instruction Fuzzy Hash: 6C2105B5901209EFDB10CFA9D484ADEBBF4FB48324F14841AE914B3310D379A954CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 497 4eb38d8-4eb396c DuplicateHandle 498 4eb396e-4eb3974 497->498 499 4eb3975-4eb3992 497->499 498->499
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EB395F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 1058e79b91763b4108bce2398b6982d83d34d3da225fa6e242ee6c637ea860f9
                                      • Instruction ID: ee0736c2a37563209548e25918f6bbb0082b0314aa97de614995717792d58f3d
                                      • Opcode Fuzzy Hash: 1058e79b91763b4108bce2398b6982d83d34d3da225fa6e242ee6c637ea860f9
                                      • Instruction Fuzzy Hash: 3F21E2B5900209AFDB10CFAAD884ADEBBF8FB48324F14841AE954A3750D374A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 502 4eb1070-4eb1870 504 4eb1878-4eb18a7 LoadLibraryExW 502->504 505 4eb1872-4eb1875 502->505 506 4eb18a9-4eb18af 504->506 507 4eb18b0-4eb18cd 504->507 505->504 506->507
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04EB1689,00000800,00000000,00000000), ref: 04EB189A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: cbbb3fac7cd78cb175cb5974302bbd0f3862091206bf3e49391155a58dadb902
                                      • Instruction ID: 52a8406506ada45d775410d67f9b33fb47e9be6aa24572e52520f872eb6290e7
                                      • Opcode Fuzzy Hash: cbbb3fac7cd78cb175cb5974302bbd0f3862091206bf3e49391155a58dadb902
                                      • Instruction Fuzzy Hash: 931103B69002098FDB10CF9AD444BDFFBF4FB48364F14842AE555A7600C375A945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 510 4eb1828-4eb1870 511 4eb1878-4eb18a7 LoadLibraryExW 510->511 512 4eb1872-4eb1875 510->512 513 4eb18a9-4eb18af 511->513 514 4eb18b0-4eb18cd 511->514 512->511 513->514
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04EB1689,00000800,00000000,00000000), ref: 04EB189A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 1b8a962ade1e7a211dfa7b632bbcfce1d62d2ac66e79fd646ec892ae12243ec3
                                      • Instruction ID: 2ce495a6a5d4adcffe6d368b490356db0ad95a968b3e5c4aca4e41025662704d
                                      • Opcode Fuzzy Hash: 1b8a962ade1e7a211dfa7b632bbcfce1d62d2ac66e79fd646ec892ae12243ec3
                                      • Instruction Fuzzy Hash: FB1103B6D002098FDB10CF9AD484ADFFBF4FB88364F14852AE559A7600C375AA45CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 517 4eb15a8-4eb15e8 518 4eb15ea-4eb15ed 517->518 519 4eb15f0-4eb161b GetModuleHandleW 517->519 518->519 520 4eb161d-4eb1623 519->520 521 4eb1624-4eb1638 519->521 520->521
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 04EB160E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: c4b769c514c3c2aaa1061006b6121463e53df50658aef476828fb84c17855238
                                      • Instruction ID: e81d72bffce4f996d989ce262d527c49746ccd362a3454ef72787b6e5b81c350
                                      • Opcode Fuzzy Hash: c4b769c514c3c2aaa1061006b6121463e53df50658aef476828fb84c17855238
                                      • Instruction Fuzzy Hash: F511DFB5D006498FDB10CF9AD444ADFFBF4EB88364F18882AD859A7600D375A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 523 4eb7f68-4eb7fd2 SetWindowLongW 524 4eb7fdb-4eb7fef 523->524 525 4eb7fd4-4eb7fda 523->525 525->524
                                      APIs
                                      • SetWindowLongW.USER32(?,?,?), ref: 04EB7FC5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID: LongWindow
                                      • String ID:
                                      • API String ID: 1378638983-0
                                      • Opcode ID: 8df9d38c3123bc91598e03a3890e751ff89d6b23235ef360e1a3f9b96c5fc56e
                                      • Instruction ID: 742282df6dfa92dabb6550ca1737229cffe4fa7d2ac27359aea08a2ca7efd2b9
                                      • Opcode Fuzzy Hash: 8df9d38c3123bc91598e03a3890e751ff89d6b23235ef360e1a3f9b96c5fc56e
                                      • Instruction Fuzzy Hash: 601103B58002098FDB10CF99D485BDFBBF8EB88324F14841AE955A3700C374A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486260129.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d3d000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 68768561acb71a23b589354ff8c652292fc8b2ccc5f760177e67f0aebe31705c
                                      • Instruction ID: ceb0af0e4e7f1bf88779efaf34d01471ebd5618764e23427324ad33764e450d9
                                      • Opcode Fuzzy Hash: 68768561acb71a23b589354ff8c652292fc8b2ccc5f760177e67f0aebe31705c
                                      • Instruction Fuzzy Hash: DC21F575504200EFDB05DF60E9C4B27BB66FB84318F28C96DE8494B246C736D84ACE71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486260129.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d3d000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2038ad5c7ac89f1a6a145f152dc346554074c210db26d567ac10c5202a434363
                                      • Instruction ID: f8e5796bac3edf1635caced6c148917a5c5a8f5025f78ded79fc7dce2ed4b80d
                                      • Opcode Fuzzy Hash: 2038ad5c7ac89f1a6a145f152dc346554074c210db26d567ac10c5202a434363
                                      • Instruction Fuzzy Hash: 7A21F271604240DFCB18DF60E9C4B26BB66FB84B24F28C96DE8494B246C336D846CEB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486260129.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d3d000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef347f3c1dcf7f52b91a2ed9b00da381d0af9e7e67247069d234e7137fa5ac77
                                      • Instruction ID: b7278574ec99dced4d8d20dee48389746c67f13870c2ce3cd82710602072c68b
                                      • Opcode Fuzzy Hash: ef347f3c1dcf7f52b91a2ed9b00da381d0af9e7e67247069d234e7137fa5ac77
                                      • Instruction Fuzzy Hash: F22180755093C08FCB06CF24D990B15BF72EB46314F28C5EAD8498F697C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486260129.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d3d000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f823e0dc345e2126d606dcf5cd21c03b9d06a74c0f615286e8c703fd7d05c13
                                      • Instruction ID: 7a99c72265bae40bad978b2ea9ad147defc4ce2a7abea66ea9a13ac95bd37b20
                                      • Opcode Fuzzy Hash: 4f823e0dc345e2126d606dcf5cd21c03b9d06a74c0f615286e8c703fd7d05c13
                                      • Instruction Fuzzy Hash: 76118B79504280DFCB12CF10D5C4B16BBA2FB84324F28C6A9D8494B656C33AD85ACF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c16294f74cf66e899b3ba8f9df2b2dc5b067903ef0589f32c3d2c6aff38887f
                                      • Instruction ID: 3461f5f84888a9422d32c942c267388be2ae48b1443194ddac5adf339156e5de
                                      • Opcode Fuzzy Hash: 3c16294f74cf66e899b3ba8f9df2b2dc5b067903ef0589f32c3d2c6aff38887f
                                      • Instruction Fuzzy Hash: 8512C7F9411B468BE330CF65EED85893BA1B745328F904308D2E11BAD9D7BE156ACF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6340a7777f4ba5f4fe3faf20b9a45418fbda2cb1e2d45993433cbe5aef2d1734
                                      • Instruction ID: 852ef5c6bd32e54f08b79b9967a2a900707315a2e89e85e0297b027e4553b136
                                      • Opcode Fuzzy Hash: 6340a7777f4ba5f4fe3faf20b9a45418fbda2cb1e2d45993433cbe5aef2d1734
                                      • Instruction Fuzzy Hash: 63A19F32E002199FCF15DFA5C9845DEBBB2FF84308B15856AE845BB265EB31A905CF80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.489594017.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_4eb0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9520c8d6a6d6f2d93065ed52004d7e8b99d91b09e13bcff41d98e645ee6487a0
                                      • Instruction ID: d703d37417f33390ee67d1c4462cb1e3c92f9576aabf629ba2b494084d4995bf
                                      • Opcode Fuzzy Hash: 9520c8d6a6d6f2d93065ed52004d7e8b99d91b09e13bcff41d98e645ee6487a0
                                      • Instruction Fuzzy Hash: F1C116F98117468BD320CF65EED81893BB1BB85328F514309D2A16BAD8D7BE145ACF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486342034.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d80000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a0e61715e03394b38bdd5f9955d9ac2528d2700af85ad7614b4a01df12b86d6e
                                      • Instruction ID: f264bfd328538e16b66a0904d797d69e0edcdfd73811c615a9a0fbe980822f1e
                                      • Opcode Fuzzy Hash: a0e61715e03394b38bdd5f9955d9ac2528d2700af85ad7614b4a01df12b86d6e
                                      • Instruction Fuzzy Hash: 13712D74E012448FDB45EFBAE851A8ABBF2FFC4304F04C929D004DB368EB7559168B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486342034.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d80000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a519e7b485ebebd223632cbd6b928a3aad0a8a36950d59968ff088a0281fa3e8
                                      • Instruction ID: 3268b65737c9996d8e450742bfe17474d9f91b6a352d65b6ef4592ec7b2cb22c
                                      • Opcode Fuzzy Hash: a519e7b485ebebd223632cbd6b928a3aad0a8a36950d59968ff088a0281fa3e8
                                      • Instruction Fuzzy Hash: 05611E74E052448FDB45EFBAE951A8ABBF2EBC4304F04C929D004DB368EB7559168B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      C-Code - Quality: 81%
                                      			E005B476D(signed int __eax, void* __ebx, signed int __ecx, intOrPtr* __edx, intOrPtr* __esi) {
                                      				signed char _t5;
                                      				signed char _t6;
                                      				signed char _t7;
                                      				signed char _t8;
                                      				signed char _t9;
                                      				signed char _t10;
                                      				signed char _t11;
                                      				signed char _t12;
                                      				signed char _t13;
                                      				signed char _t14;
                                      				signed char _t15;
                                      				signed char _t16;
                                      				signed char _t17;
                                      				signed char _t18;
                                      				signed char _t19;
                                      				signed char _t20;
                                      				signed char _t22;
                                      				signed char _t25;
                                      				signed char _t26;
                                      				intOrPtr* _t27;
                                      				intOrPtr* _t28;
                                      				intOrPtr* _t29;
                                      				signed int _t30;
                                      
                                      				_t28 = __esi;
                                      				_t27 = __edx;
                                      				_t5 = __eax & 0xc220111f;
                                      				 *_t5 =  *_t5 | _t5;
                                      				 *_t5 =  *_t5 + __ecx;
                                      				_pop(_t29);
                                      				 *_t5 =  *_t5 + _t5;
                                      				_push(es);
                                      				 *0x20121f25 = _t5;
                                      				asm("int3");
                                      				 *_t5 =  *_t5 | _t5;
                                      				 *_t5 =  *_t5 + __ecx;
                                      				_t6 = _t5 ^  *__ecx;
                                      				 *__esi =  *__esi + _t6;
                                      				 *0x20131f25 = _t6;
                                      				asm("salc");
                                      				 *_t6 =  *_t6 | _t6;
                                      				 *_t6 =  *_t6 + __ecx;
                                      				_t7 = _t6 ^  *__ecx;
                                      				 *__esi =  *__esi + _t7;
                                      				 *0x20141f25 = _t7;
                                      				asm("loop 0xa");
                                      				 *_t7 =  *_t7 + _t7;
                                      				 *__edx =  *__edx - __edx;
                                      				 *_t7 =  *_t7 + _t7;
                                      				_push(es);
                                      				 *0x20151f25 = _t7;
                                      				asm("in al, dx");
                                      				 *_t7 =  *_t7 | _t7;
                                      				 *_t7 =  *_t7 + __ecx;
                                      				_t8 = _t7 ^  *__ecx;
                                      				 *__esi =  *__esi + _t8;
                                      				 *0x20161f25 = _t8;
                                      				 *_t8 =  *_t8 + __ecx;
                                      				_t9 = _t8 ^  *__ecx;
                                      				 *__esi =  *__esi + _t9;
                                      				 *0x20171f25 = _t9;
                                      				 *__ecx =  *__ecx + __ecx;
                                      				 *_t9 =  *_t9 + _t9;
                                      				 *__edx =  *__edx - __edx;
                                      				 *_t9 =  *_t9 + _t9;
                                      				_push(es);
                                      				 *0x20181f25 = _t9;
                                      				_t25 = __ecx |  *__ecx;
                                      				 *_t9 =  *_t9 + _t9;
                                      				 *_t29 =  *_t29 - __ebx;
                                      				 *__esi =  *__esi + _t9;
                                      				 *0x20191f25 = _t9;
                                      				asm("adc al, 0x9");
                                      				 *_t9 =  *_t9 + _t9;
                                      				 *__edx =  *__edx - __edx;
                                      				 *_t9 =  *_t9 + _t9;
                                      				_push(es);
                                      				 *0x201a1f25 = _t9;
                                      				_push(ds);
                                      				 *_t9 =  *_t9 | _t9;
                                      				 *_t9 =  *_t9 + _t25;
                                      				_t10 = _t9 ^  *_t25;
                                      				 *__esi =  *__esi + _t10;
                                      				 *0x201b1f25 = _t10;
                                      				 *_t25 =  *_t25 - _t25;
                                      				 *_t10 =  *_t10 + _t10;
                                      				 *_t29 =  *_t29 - __ebx;
                                      				 *__esi =  *__esi + _t10;
                                      				 *0x201c1f25 = _t10;
                                      				_t26 = _t25 ^  *_t25;
                                      				 *_t10 =  *_t10 + _t10;
                                      				 *__edx =  *__edx - __edx;
                                      				 *_t10 =  *_t10 + _t10;
                                      				_push(es);
                                      				 *0x201d1f25 = _t10;
                                      				 *_t10 =  *_t10 + _t10;
                                      				 *__edx =  *__edx - __edx;
                                      				 *_t10 =  *_t10 + _t10;
                                      				_push(es);
                                      				 *0x201e1f25 = _t10;
                                      				_t11 = _t10 - 1;
                                      				 *_t11 =  *_t11 | _t11;
                                      				 *_t11 =  *_t11 + _t26;
                                      				_t12 = _t11 ^  *_t26;
                                      				 *__esi =  *__esi + _t12;
                                      				 *0x201f1f25 = _t12;
                                      				_push(__edx);
                                      				 *_t12 =  *_t12 | _t12;
                                      				 *_t12 =  *_t12 + _t26;
                                      				_t13 = _t12 ^  *_t26;
                                      				 *__esi =  *__esi + _t13;
                                      				 *0x20201f25 = _t13;
                                      				_pop(_t30);
                                      				 *_t13 =  *_t13 | _t13;
                                      				 *_t13 =  *_t13 + _t26;
                                      				_t14 = _t13 ^  *_t26;
                                      				 *__esi =  *__esi + _t14;
                                      				 *0x20211f25 = _t14;
                                      				 *_t14 =  *_t14 | _t14;
                                      				 *_t14 =  *_t14 + _t26;
                                      				_t15 = _t14 ^  *_t26;
                                      				 *__esi =  *__esi + _t15;
                                      				 *0x20221f25 = _t15;
                                      				if( *__esi >= 0) {
                                      					 *_t15 =  *_t15 + _t15;
                                      					 *_t29 =  *_t29 - __ebx;
                                      					 *__esi =  *__esi + _t15;
                                      					 *0x20231f25 = _t15;
                                      				}
                                      				_pop(ds);
                                      				if((_t30 &  *_t15) == 0) {
                                      					 *_t15 =  *_t15 + _t15;
                                      					 *_t27 =  *_t27 - _t27;
                                      					 *_t15 =  *_t15 + _t15;
                                      					_push(es);
                                      					 *0x20241f25 = _t15;
                                      				}
                                      				_pop(ds);
                                      				_t16 = _t15 & 0x00000020;
                                      				 *_t16 =  *_t16 + _t16;
                                      				 *_t27 =  *_t27 - _t27;
                                      				 *_t16 =  *_t16 + _t16;
                                      				_push(es);
                                      				 *0x20251f25 = _t16;
                                      				cs =  *_t26;
                                      				 *_t16 =  *_t16 + _t16;
                                      				 *_t27 =  *_t27 - _t27;
                                      				 *_t16 =  *_t16 + _t16;
                                      				_push(es);
                                      				 *0x20261f25 = _t16;
                                      				_t17 = _t16;
                                      				 *_t17 =  *_t17 | _t17;
                                      				 *_t17 =  *_t17 + _t26;
                                      				_t18 = _t17 ^  *_t26;
                                      				 *_t28 =  *_t28 + _t18;
                                      				 *0x20271f25 = _t18;
                                      				 *0x28000009 = _t18;
                                      				_t19 = _t18 ^  *_t26;
                                      				 *_t28 =  *_t28 + _t19;
                                      				 *0x20281f25 = _t19;
                                      				asm("scasb");
                                      				 *_t19 =  *_t19 | _t19;
                                      				 *_t19 =  *_t19 + _t26;
                                      				_t20 = _t19 ^  *_t26;
                                      				 *_t28 =  *_t28 + _t20;
                                      				 *0x20291f25 = _t20;
                                      				_t22 = 0x28000009 ^  *_t26;
                                      				 *_t28 =  *_t28 + _t22;
                                      				 *0x202a1f25 = _t22;
                                      				return _t22;
                                      			}


























                                      0x005b476d
                                      0x005b476d
                                      0x005b476d
                                      0x005b4772
                                      0x005b4774
                                      0x005b4776
                                      0x005b4777
                                      0x005b4779
                                      0x005b477a
                                      0x005b477f
                                      0x005b4780
                                      0x005b4782
                                      0x005b4784
                                      0x005b4786
                                      0x005b4788
                                      0x005b478d
                                      0x005b478e
                                      0x005b4790
                                      0x005b4792
                                      0x005b4794
                                      0x005b4796
                                      0x005b479b
                                      0x005b479d
                                      0x005b479f
                                      0x005b47a1
                                      0x005b47a3
                                      0x005b47a4
                                      0x005b47a9
                                      0x005b47aa
                                      0x005b47ac
                                      0x005b47ae
                                      0x005b47b0
                                      0x005b47b2
                                      0x005b47ba
                                      0x005b47bc
                                      0x005b47be
                                      0x005b47c0
                                      0x005b47c5
                                      0x005b47c7
                                      0x005b47c9
                                      0x005b47cb
                                      0x005b47cd
                                      0x005b47ce
                                      0x005b47d3
                                      0x005b47d5
                                      0x005b47d7
                                      0x005b47da
                                      0x005b47dc
                                      0x005b47e1
                                      0x005b47e3
                                      0x005b47e5
                                      0x005b47e7
                                      0x005b47e9
                                      0x005b47ea
                                      0x005b47ef
                                      0x005b47f0
                                      0x005b47f2
                                      0x005b47f4
                                      0x005b47f6
                                      0x005b47f8
                                      0x005b47fd
                                      0x005b47ff
                                      0x005b4801
                                      0x005b4804
                                      0x005b4806
                                      0x005b480b
                                      0x005b480d
                                      0x005b480f
                                      0x005b4811
                                      0x005b4813
                                      0x005b4814
                                      0x005b481b
                                      0x005b481d
                                      0x005b481f
                                      0x005b4821
                                      0x005b4822
                                      0x005b4827
                                      0x005b4828
                                      0x005b482a
                                      0x005b482c
                                      0x005b482e
                                      0x005b4830
                                      0x005b4835
                                      0x005b4836
                                      0x005b4838
                                      0x005b483a
                                      0x005b483c
                                      0x005b483e
                                      0x005b4843
                                      0x005b4844
                                      0x005b4846
                                      0x005b4848
                                      0x005b484a
                                      0x005b484c
                                      0x005b4851
                                      0x005b4854
                                      0x005b4856
                                      0x005b4858
                                      0x005b485a
                                      0x005b485f
                                      0x005b4861
                                      0x005b4863
                                      0x005b4866
                                      0x005b4868
                                      0x005b4868
                                      0x005b486a
                                      0x005b486d
                                      0x005b486f
                                      0x005b4871
                                      0x005b4873
                                      0x005b4875
                                      0x005b4876
                                      0x005b4876
                                      0x005b4878
                                      0x005b4879
                                      0x005b487d
                                      0x005b487f
                                      0x005b4881
                                      0x005b4883
                                      0x005b4884
                                      0x005b4889
                                      0x005b488b
                                      0x005b488d
                                      0x005b488f
                                      0x005b4891
                                      0x005b4892
                                      0x005b4897
                                      0x005b4898
                                      0x005b489a
                                      0x005b489c
                                      0x005b489e
                                      0x005b48a0
                                      0x005b48a5
                                      0x005b48aa
                                      0x005b48ac
                                      0x005b48ae
                                      0x005b48b3
                                      0x005b48b4
                                      0x005b48b6
                                      0x005b48b8
                                      0x005b48ba
                                      0x005b48bc
                                      0x005b48c6
                                      0x005b48c8
                                      0x005b48ca
                                      0x005b48cf

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.485807244.00000000005B2000.00000002.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true
                                      • Associated: 00000000.00000002.485799687.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.485890671.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5b0000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a47c55eb81b4a9f1896f1d5280bd498fa7ce9391988676ffd2a345046773c12e
                                      • Instruction ID: 171472511243e3930a8729f05eb7e03ac9921a1d5690b6f0f0157fe101df1274
                                      • Opcode Fuzzy Hash: a47c55eb81b4a9f1896f1d5280bd498fa7ce9391988676ffd2a345046773c12e
                                      • Instruction Fuzzy Hash: 2351802204E7C19FC7474BB84C294D67FB09E2B21432E18DFD4C18B5B3E25A199AE776
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486342034.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d80000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 13bcedc5e8b3bef40d0b6462ea1442c2a4ea0b410218e007ff63e8e7c569bc29
                                      • Instruction ID: a0ec61739ddc318f5e4d2311631447fa90fdff87c1c87fb91ba3c94e84637705
                                      • Opcode Fuzzy Hash: 13bcedc5e8b3bef40d0b6462ea1442c2a4ea0b410218e007ff63e8e7c569bc29
                                      • Instruction Fuzzy Hash: F0414271E05A58CBEB1CDF6B8C4079AFAF7AFC9301F14C1BA884DAA255DB3049818F11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.486342034.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d80000_SecuriteInfo.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 21bd7cf3a432a7c333bbaeda03f5a3e794fdb03bbba7ecd07a3a2a0755f8f91a
                                      • Instruction ID: bde1a03aede8137c615c6ce19278c816004ef0acca0060264f2a685757911fde
                                      • Opcode Fuzzy Hash: 21bd7cf3a432a7c333bbaeda03f5a3e794fdb03bbba7ecd07a3a2a0755f8f91a
                                      • Instruction Fuzzy Hash: F1413771E05A588BEB5CCF6B8D4078AFAF7BFC9301F14C1BA884DAA215DB3049418F11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:3.6%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:4.2%
                                      Total number of Nodes:309
                                      Total number of Limit Nodes:35
                                      execution_graph 17341 41f1f0 17342 41f1fb 17341->17342 17344 41b970 17341->17344 17345 41b996 17344->17345 17350 409d40 17345->17350 17347 41b9a2 17349 41b9b5 17347->17349 17357 40c1c0 17347->17357 17349->17342 17351 409d43 17350->17351 17371 409c90 17351->17371 17353 409d54 17353->17347 17354 409d4d 17354->17353 17378 40f180 17354->17378 17358 40c1e5 17357->17358 17370 40c445 17358->17370 17618 408a60 17358->17618 17360 40c348 17361 41bdc0 RtlFreeHeap 17360->17361 17363 40c355 17361->17363 17362 40c2eb 17362->17360 17364 40c392 17362->17364 17367 40c3a2 17362->17367 17362->17370 17363->17349 17365 41bdc0 RtlFreeHeap 17364->17365 17366 40c399 17365->17366 17366->17349 17367->17360 17368 40c421 17367->17368 17369 41bdc0 RtlFreeHeap 17368->17369 17369->17370 17370->17349 17373 409ca3 17371->17373 17372 409cb6 17372->17354 17373->17372 17382 41b2b0 17373->17382 17375 409cf3 17375->17372 17391 409ab0 17375->17391 17377 409d13 17377->17354 17379 40f199 17378->17379 17380 41a490 NtClose 17379->17380 17381 409d65 17379->17381 17380->17381 17381->17347 17383 41b2c9 17382->17383 17394 414a50 17383->17394 17385 41b2e1 17386 41b2ea 17385->17386 17423 41b0f0 17385->17423 17386->17375 17388 41b2fe 17388->17386 17435 41bdc0 17388->17435 17611 407ea0 17391->17611 17393 409aca 17393->17377 17395 414a64 17394->17395 17396 414b73 17394->17396 17395->17396 17438 41a360 17395->17438 17396->17385 17398 414bb7 17399 41bdc0 RtlFreeHeap 17398->17399 17403 414bc3 17399->17403 17400 414d49 17402 41a490 NtClose 17400->17402 17401 414d5f 17496 414790 17401->17496 17404 414d50 17402->17404 17403->17396 17403->17400 17403->17401 17407 414c52 17403->17407 17404->17385 17406 414d72 17406->17385 17408 414cb9 17407->17408 17409 414c61 17407->17409 17408->17400 17415 414ccc 17408->17415 17410 414c66 17409->17410 17411 414c7a 17409->17411 17483 414650 17410->17483 17413 414c97 17411->17413 17414 414c7f 17411->17414 17413->17404 17451 414410 17413->17451 17441 4146f0 17414->17441 17493 41a490 17415->17493 17416 414c70 17416->17385 17418 414c8d 17418->17385 17421 414caf 17421->17385 17422 414d38 17422->17385 17424 41b101 17423->17424 17425 41b113 17424->17425 17426 41b134 17424->17426 17542 41bd40 17424->17542 17425->17388 17545 414070 17426->17545 17429 41b180 17429->17388 17430 41b157 17430->17429 17431 414070 2 API calls 17430->17431 17433 41b179 17431->17433 17433->17429 17574 415390 17433->17574 17434 41b20a 17434->17388 17608 41a670 17435->17608 17437 41b359 17437->17375 17439 41a37c NtCreateFile 17438->17439 17523 41af60 17438->17523 17439->17398 17442 41470c 17441->17442 17443 414734 17442->17443 17444 414748 17442->17444 17446 41a490 NtClose 17443->17446 17445 41a490 NtClose 17444->17445 17447 414751 17445->17447 17448 41473d 17446->17448 17525 41bfd0 17447->17525 17448->17418 17450 41475c 17450->17418 17452 41445b 17451->17452 17453 41448e 17451->17453 17455 41a490 NtClose 17452->17455 17454 4144aa 17453->17454 17457 4145d9 17453->17457 17458 4144e1 17454->17458 17459 4144cc 17454->17459 17456 41447f 17455->17456 17456->17421 17463 41a490 NtClose 17457->17463 17461 4144e6 17458->17461 17462 4144fc 17458->17462 17460 41a490 NtClose 17459->17460 17464 4144d5 17460->17464 17465 41a490 NtClose 17461->17465 17470 414501 17462->17470 17531 41bf90 17462->17531 17466 414639 17463->17466 17464->17421 17467 4144ef 17465->17467 17466->17421 17467->17421 17477 414513 17470->17477 17534 41a410 17470->17534 17471 414567 17472 414585 17471->17472 17473 41459a 17471->17473 17475 41a490 NtClose 17472->17475 17474 41a490 NtClose 17473->17474 17476 4145a3 17474->17476 17475->17477 17478 4145cf 17476->17478 17537 41bb90 17476->17537 17477->17421 17478->17421 17480 4145ba 17481 41bdc0 RtlFreeHeap 17480->17481 17482 4145c3 17481->17482 17482->17421 17484 41468d 17483->17484 17485 414694 17484->17485 17486 4146a8 17484->17486 17487 41a490 NtClose 17485->17487 17489 41a490 NtClose 17486->17489 17488 41469d 17487->17488 17488->17416 17490 4146d2 17489->17490 17491 41a490 NtClose 17490->17491 17492 4146dc 17491->17492 17492->17416 17494 41a4ac NtClose 17493->17494 17495 41af60 17493->17495 17494->17422 17495->17494 17497 4147ce 17496->17497 17498 4147d7 17497->17498 17499 4147ec 17497->17499 17500 41a490 NtClose 17498->17500 17501 414810 17499->17501 17502 41485a 17499->17502 17510 4147e0 17500->17510 17506 41a490 NtClose 17501->17506 17503 4148a0 17502->17503 17504 41485f 17502->17504 17505 4149da 17503->17505 17508 4148b2 17503->17508 17507 41a410 NtReadFile 17504->17507 17504->17510 17505->17510 17516 41a410 NtReadFile 17505->17516 17506->17510 17509 41488a 17507->17509 17512 4148b7 17508->17512 17514 4148f2 17508->17514 17511 41a490 NtClose 17509->17511 17510->17406 17513 414893 17511->17513 17515 41a490 NtClose 17512->17515 17513->17406 17514->17510 17520 41a490 NtClose 17514->17520 17517 4148e3 17515->17517 17518 414a31 17516->17518 17517->17406 17519 41a490 NtClose 17518->17519 17521 414a3a 17519->17521 17522 414925 17520->17522 17521->17406 17522->17406 17524 41af70 17523->17524 17524->17439 17528 41a630 17525->17528 17527 41bfea 17527->17450 17529 41af60 17528->17529 17530 41a64c RtlAllocateHeap 17529->17530 17530->17527 17532 41a630 RtlAllocateHeap 17531->17532 17533 41bfa8 17531->17533 17532->17533 17533->17470 17535 41a42c NtReadFile 17534->17535 17536 41af60 17534->17536 17535->17471 17536->17535 17538 41bbb4 17537->17538 17539 41bb9d 17537->17539 17538->17480 17539->17538 17540 41bf90 RtlAllocateHeap 17539->17540 17541 41bbcb 17540->17541 17541->17480 17584 41a540 17542->17584 17544 41bd6d 17544->17426 17546 414081 17545->17546 17548 414089 17545->17548 17546->17430 17547 41435c 17547->17430 17548->17547 17587 41cf30 17548->17587 17550 4140dd 17551 41cf30 RtlAllocateHeap 17550->17551 17557 4140e8 17551->17557 17552 414136 17598 41cfb0 17552->17598 17554 41413f 17556 41cf30 RtlAllocateHeap 17554->17556 17559 41414a 17556->17559 17557->17552 17592 41cfd0 17557->17592 17558 41cfb0 2 API calls 17560 4141b0 17558->17560 17559->17558 17561 41cf30 RtlAllocateHeap 17560->17561 17563 4141bd 17561->17563 17562 41cf30 RtlAllocateHeap 17571 414205 17562->17571 17563->17562 17566 41cf90 RtlFreeHeap 17567 41433e 17566->17567 17568 41cf90 RtlFreeHeap 17567->17568 17569 414348 17568->17569 17570 41cf90 RtlFreeHeap 17569->17570 17572 414352 17570->17572 17605 41cf90 17571->17605 17573 41cf90 RtlFreeHeap 17572->17573 17573->17547 17575 4153a1 17574->17575 17576 414a50 5 API calls 17575->17576 17578 4153b7 17576->17578 17577 41540a 17577->17434 17578->17577 17579 4153f2 17578->17579 17580 415405 17578->17580 17581 41bdc0 RtlFreeHeap 17579->17581 17582 41bdc0 RtlFreeHeap 17580->17582 17583 4153f7 17581->17583 17582->17577 17583->17434 17585 41af60 17584->17585 17586 41a55c NtAllocateVirtualMemory 17585->17586 17586->17544 17588 41cf40 17587->17588 17589 41cf46 17587->17589 17588->17550 17590 41bf90 RtlAllocateHeap 17589->17590 17591 41cf6c 17590->17591 17591->17550 17593 41cff5 17592->17593 17597 41d02d 17592->17597 17594 41bf90 RtlAllocateHeap 17593->17594 17595 41d00a 17594->17595 17596 41bdc0 RtlFreeHeap 17595->17596 17596->17597 17597->17557 17599 41cfba 17598->17599 17600 41cfbc 17598->17600 17599->17554 17601 41bf90 RtlAllocateHeap 17599->17601 17600->17554 17602 41d00a 17601->17602 17603 41bdc0 RtlFreeHeap 17602->17603 17604 41d02d 17603->17604 17604->17554 17606 414334 17605->17606 17607 41bdc0 RtlFreeHeap 17605->17607 17606->17566 17607->17606 17609 41af60 17608->17609 17610 41a68c RtlFreeHeap 17609->17610 17610->17437 17612 407eb0 17611->17612 17613 407eab 17611->17613 17614 41bd40 NtAllocateVirtualMemory 17612->17614 17613->17393 17615 407ed5 17614->17615 17616 407f38 17615->17616 17617 41bd40 NtAllocateVirtualMemory 17615->17617 17616->17393 17617->17615 17619 408a79 17618->17619 17625 4087a0 17618->17625 17621 4087a0 6 API calls 17619->17621 17624 408a9d 17619->17624 17622 408a8a 17621->17622 17622->17624 17634 40f710 17622->17634 17624->17362 17626 407ea0 NtAllocateVirtualMemory 17625->17626 17632 4087ba 17625->17632 17626->17632 17627 408a3f 17627->17619 17629 41a490 NtClose 17629->17632 17631 40c4c0 NtClose 17631->17632 17632->17627 17632->17629 17632->17631 17641 4085d0 17632->17641 17649 40f5f0 17632->17649 17653 4083a0 17632->17653 17635 40f735 17634->17635 17636 4081a0 5 API calls 17635->17636 17639 40f759 17636->17639 17637 40f766 17637->17624 17638 414a50 5 API calls 17638->17639 17639->17637 17639->17638 17640 41bdc0 RtlFreeHeap 17639->17640 17640->17639 17642 4085e6 17641->17642 17660 419880 17642->17660 17644 4085ff 17648 408713 17644->17648 17679 4081a0 17644->17679 17646 4086e5 17647 4083a0 5 API calls 17646->17647 17646->17648 17647->17648 17648->17632 17650 40f634 17649->17650 17651 40f655 17650->17651 17652 41a490 NtClose 17650->17652 17651->17632 17652->17651 17654 4083c9 17653->17654 17655 408467 17654->17655 17656 41a490 NtClose 17654->17656 17655->17632 17657 40849a 17656->17657 17657->17655 17658 414a50 5 API calls 17657->17658 17659 4085b8 17658->17659 17659->17632 17661 41bf90 RtlAllocateHeap 17660->17661 17662 419897 17661->17662 17686 409310 17662->17686 17664 4198b2 17665 4198f0 17664->17665 17666 4198d9 17664->17666 17669 41bd40 NtAllocateVirtualMemory 17665->17669 17667 41bdc0 RtlFreeHeap 17666->17667 17668 4198e6 17667->17668 17668->17644 17670 41992a 17669->17670 17671 41bd40 NtAllocateVirtualMemory 17670->17671 17672 419943 17671->17672 17673 419bd0 17672->17673 17676 419be4 17672->17676 17674 41bdc0 RtlFreeHeap 17673->17674 17675 419bda 17674->17675 17675->17644 17677 41bdc0 RtlFreeHeap 17676->17677 17678 419c39 17677->17678 17678->17644 17680 40829f 17679->17680 17681 4081b5 17679->17681 17680->17646 17681->17680 17682 414a50 5 API calls 17681->17682 17683 408222 17682->17683 17684 41bdc0 RtlFreeHeap 17683->17684 17685 408249 17683->17685 17684->17685 17685->17646 17687 409335 17686->17687 17689 40938d 17687->17689 17690 40cf20 17687->17690 17689->17664 17692 40cf4c 17690->17692 17691 40cf6c 17691->17689 17692->17691 17693 41a490 NtClose 17692->17693 17694 40cfca 17693->17694 17694->17689

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 41a40a-41a459 call 41af60 NtReadFile
                                      APIs
                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1JA$rMA$rMA
                                      • API String ID: 2738559852-782607585
                                      • Opcode ID: a13c45e5fbcc5ab7269304fadf385433b61bce6fb21a853c3127667312c94cae
                                      • Instruction ID: c83d990fea24606c02c2fcd1564be42ca98a0e01f154b7c4b78d1484654f40ed
                                      • Opcode Fuzzy Hash: a13c45e5fbcc5ab7269304fadf385433b61bce6fb21a853c3127667312c94cae
                                      • Instruction Fuzzy Hash: B4F01DB2500148ABCB15DF99D880CEBBBADEF8C614B15874DFD5C93206C634E855CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                      C-Code - Quality: 37%
                                      			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
                                      				void* _t18;
                                      				void* _t27;
                                      				intOrPtr* _t28;
                                      
                                      				_t13 = _a4;
                                      				_t28 = _a4 + 0xc48;
                                      				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
                                      				_t4 =  &_a40; // 0x414a31
                                      				_t6 =  &_a32; // 0x414d72
                                      				_t12 =  &_a8; // 0x414d72
                                      				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
                                      				return _t18;
                                      			}






                                      0x0041a413
                                      0x0041a41f
                                      0x0041a427
                                      0x0041a42c
                                      0x0041a432
                                      0x0041a44d
                                      0x0041a455
                                      0x0041a459

                                      APIs
                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1JA$rMA$rMA
                                      • API String ID: 2738559852-782607585
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 97 41a35a-41a3b1 call 41af60 NtCreateFile
                                      C-Code - Quality: 64%
                                      			E0041A35A(void* __eax, void* __ebx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
                                      				long _t23;
                                      				void* _t34;
                                      
                                      				asm("arpl sp, bx");
                                      				asm("repne and edx, [ebp-0x75]");
                                      				_t17 = _a4;
                                      				_t3 = _t17 + 0xc40; // 0xc40
                                      				E0041AF60(_t34, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
                                      				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
                                      				return _t23;
                                      			}





                                      0x0041a35c
                                      0x0041a35e
                                      0x0041a363
                                      0x0041a36f
                                      0x0041a377
                                      0x0041a3ad
                                      0x0041a3b1

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ccb74c8184052112f1aef663f65ef0dbaa55e3d792ca893225bc33dcf0e7fe7b
                                      • Instruction ID: 9b490968ff35cdedebdbcde5cba0c0a9472da4c09bdc8eea8e863433126038c4
                                      • Opcode Fuzzy Hash: ccb74c8184052112f1aef663f65ef0dbaa55e3d792ca893225bc33dcf0e7fe7b
                                      • Instruction Fuzzy Hash: F301AFB2211108AFCB18CF99DC95EEB77B9AF8C754F158248BA0D97241C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 100 41a360-41a376 101 41a37c-41a3b1 NtCreateFile 100->101 102 41a377 call 41af60 100->102 102->101
                                      C-Code - Quality: 100%
                                      			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
                                      				long _t21;
                                      				void* _t31;
                                      
                                      				_t3 = _a4 + 0xc40; // 0xc40
                                      				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
                                      				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
                                      				return _t21;
                                      			}





                                      0x0041a36f
                                      0x0041a377
                                      0x0041a3ad
                                      0x0041a3b1

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 103 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                      C-Code - Quality: 100%
                                      			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
                                      				long _t14;
                                      				void* _t21;
                                      
                                      				_t3 = _a4 + 0xc60; // 0xca0
                                      				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
                                      				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
                                      				return _t14;
                                      			}





                                      0x0041a54f
                                      0x0041a557
                                      0x0041a579
                                      0x0041a57d

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 106 41a53a-41a556 107 41a55c-41a57d NtAllocateVirtualMemory 106->107 108 41a557 call 41af60 106->108 108->107
                                      C-Code - Quality: 100%
                                      			E0041A53A(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
                                      				long _t16;
                                      				void* _t24;
                                      
                                      				_t12 = _a4;
                                      				_t3 = _t12 + 0xc60; // 0xca0
                                      				E0041AF60(_t24, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
                                      				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
                                      				return _t16;
                                      			}





                                      0x0041a543
                                      0x0041a54f
                                      0x0041a557
                                      0x0041a579
                                      0x0041a57d

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: 18b0bfb160bd22a6fdbd05726d3fe2fc860348bb3bec4f46728649a57936ef26
                                      • Instruction ID: 840ea55012c3240a81c526d92bfd107ee8cf5fefeea859ac2fa4770ac8645a47
                                      • Opcode Fuzzy Hash: 18b0bfb160bd22a6fdbd05726d3fe2fc860348bb3bec4f46728649a57936ef26
                                      • Instruction Fuzzy Hash: C4F030B51001496BCB14DFA8DC84CE777A9FF88314B15864DF95D97216C634D855CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 112 41a48a-41a4b9 call 41af60 NtClose
                                      C-Code - Quality: 58%
                                      			E0041A48A(intOrPtr _a4, void* _a8) {
                                      				long _t8;
                                      				void* _t12;
                                      
                                      				asm("std");
                                      				asm("cli");
                                      				asm("sbb [ecx+0x55], bl");
                                      				_t5 = _a4;
                                      				_t2 = _t5 + 0x10; // 0x300
                                      				_t3 = _t5 + 0xc50; // 0x40a943
                                      				E0041AF60(_t12, _a4, _t3,  *_t2, 0, 0x2c);
                                      				_t8 = NtClose(_a8); // executed
                                      				return _t8;
                                      			}





                                      0x0041a48a
                                      0x0041a48b
                                      0x0041a48e
                                      0x0041a493
                                      0x0041a496
                                      0x0041a49f
                                      0x0041a4a7
                                      0x0041a4b5
                                      0x0041a4b9

                                      APIs
                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 6efbfcfbfb7d3ce505a7b9eacd83757c3baa335a86c6fc97a1d7122fb7741f8a
                                      • Instruction ID: c7ffe06153fef71072f5991e8144e8df839eb45c0d9299592e6ee7690007c2a8
                                      • Opcode Fuzzy Hash: 6efbfcfbfb7d3ce505a7b9eacd83757c3baa335a86c6fc97a1d7122fb7741f8a
                                      • Instruction Fuzzy Hash: CFE08C76241214ABE710EBA4CC46FDB3B68EF48764F18409ABA0C5B242C131E601C6D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 115 41a490-41a4a6 116 41a4ac-41a4b9 NtClose 115->116 117 41a4a7 call 41af60 115->117 117->116
                                      C-Code - Quality: 100%
                                      			E0041A490(intOrPtr _a4, void* _a8) {
                                      				long _t8;
                                      				void* _t11;
                                      
                                      				_t5 = _a4;
                                      				_t2 = _t5 + 0x10; // 0x300
                                      				_t3 = _t5 + 0xc50; // 0x40a943
                                      				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
                                      				_t8 = NtClose(_a8); // executed
                                      				return _t8;
                                      			}





                                      0x0041a493
                                      0x0041a496
                                      0x0041a49f
                                      0x0041a4a7
                                      0x0041a4b5
                                      0x0041a4b9

                                      APIs
                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      C-Code - Quality: 93%
                                      			E00409AB0(intOrPtr* _a4) {
                                      				intOrPtr _v8;
                                      				char _v24;
                                      				char _v284;
                                      				char _v804;
                                      				char _v840;
                                      				void* _t24;
                                      				void* _t31;
                                      				void* _t33;
                                      				void* _t34;
                                      				void* _t39;
                                      				void* _t50;
                                      				intOrPtr* _t52;
                                      				void* _t53;
                                      				void* _t54;
                                      				void* _t55;
                                      				void* _t56;
                                      
                                      				_t52 = _a4;
                                      				_t39 = 0; // executed
                                      				_t24 = E00407EA0(_t52,  &_v24); // executed
                                      				_t54 = _t53 + 8;
                                      				if(_t24 != 0) {
                                      					E004080B0( &_v24,  &_v840);
                                      					_t55 = _t54 + 8;
                                      					do {
                                      						E0041BE10( &_v284, 0x104);
                                      						E0041C480( &_v284,  &_v804);
                                      						_t56 = _t55 + 0x10;
                                      						_t50 = 0x4f;
                                      						while(1) {
                                      							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
                                      							_t56 = _t56 + 0x10;
                                      							if(_t31 != 0) {
                                      								break;
                                      							}
                                      							_t50 = _t50 + 1;
                                      							if(_t50 <= 0x62) {
                                      								continue;
                                      							} else {
                                      							}
                                      							goto L8;
                                      						}
                                      						_t9 = _t52 + 0x14; // 0xffffe045
                                      						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
                                      						_t39 = 1;
                                      						L8:
                                      						_t33 = E004080E0( &_v24,  &_v840);
                                      						_t55 = _t56 + 8;
                                      					} while (_t33 != 0 && _t39 == 0);
                                      					_t34 = E00408160(_t52,  &_v24); // executed
                                      					if(_t39 == 0) {
                                      						asm("rdtsc");
                                      						asm("rdtsc");
                                      						_v8 = _t34 - 0 + _t34;
                                      						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
                                      					}
                                      					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
                                      					_t20 = _t52 + 0x31; // 0x5608758b
                                      					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
                                      					return 1;
                                      				} else {
                                      					return _t24;
                                      				}
                                      			}



















                                      0x00409abb
                                      0x00409ac3
                                      0x00409ac5
                                      0x00409aca
                                      0x00409acf
                                      0x00409ae2
                                      0x00409ae7
                                      0x00409af0
                                      0x00409afc
                                      0x00409b0f
                                      0x00409b14
                                      0x00409b17
                                      0x00409b20
                                      0x00409b32
                                      0x00409b37
                                      0x00409b3c
                                      0x00000000
                                      0x00000000
                                      0x00409b3e
                                      0x00409b42
                                      0x00000000
                                      0x00000000
                                      0x00409b44
                                      0x00000000
                                      0x00409b42
                                      0x00409b46
                                      0x00409b49
                                      0x00409b4f
                                      0x00409b51
                                      0x00409b5c
                                      0x00409b61
                                      0x00409b64
                                      0x00409b71
                                      0x00409b7c
                                      0x00409b7e
                                      0x00409b84
                                      0x00409b88
                                      0x00409b8b
                                      0x00409b8b
                                      0x00409b92
                                      0x00409b95
                                      0x00409b9a
                                      0x00409ba7
                                      0x00409ad6
                                      0x00409ad6
                                      0x00409ad6

                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4ed878d8682106b50380cb3f7a3660dbe535b89e10b8b11201fef7fd01b0729b
                                      • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                      • Opcode Fuzzy Hash: 4ed878d8682106b50380cb3f7a3660dbe535b89e10b8b11201fef7fd01b0729b
                                      • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                      C-Code - Quality: 100%
                                      			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
                                      				void* _t10;
                                      				void* _t15;
                                      
                                      				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
                                      				_t6 =  &_a8; // 0x414536
                                      				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
                                      				return _t10;
                                      			}





                                      0x0041a647
                                      0x0041a652
                                      0x0041a65d
                                      0x0041a661

                                      APIs
                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 6EA
                                      • API String ID: 1279760036-1400015478
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 109 41a670-41a6a1 call 41af60 RtlFreeHeap
                                      C-Code - Quality: 100%
                                      			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
                                      				char _t10;
                                      				void* _t15;
                                      
                                      				_t3 = _a4 + 0xc74; // 0xc74
                                      				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
                                      				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
                                      				return _t10;
                                      			}





                                      0x0041a67f
                                      0x0041a687
                                      0x0041a69d
                                      0x0041a6a1

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      C-Code - Quality: 37%
                                      			E0040E461(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi) {
                                      				intOrPtr _t13;
                                      				void* _t23;
                                      				signed int _t27;
                                      
                                      				_t27 =  *(_t23 - 0x21) & __edx;
                                      				asm("in al, dx");
                                      				asm("popfd");
                                      				asm("das");
                                      				_t13 =  *0xe067a3a7;
                                      				 *0xe067a3a7 = __eax + 1;
                                      				asm("sbb eax, 0xbc5b857f");
                                      				goto L1;
                                      			}






                                      0x0040e468
                                      0x0040e46b
                                      0x0040e46c
                                      0x0040e46d
                                      0x0040e46f
                                      0x0040e46f
                                      0x0040e476
                                      0x0040e476

                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04693227d2324754d253edf78a5d0782f4539675b2078b5c3d05a8a87f6c7289
                                      • Instruction ID: dca3cf068861474603e5171d8bedb687bb6ea80e4673df21934c375fa5f108ad
                                      • Opcode Fuzzy Hash: 04693227d2324754d253edf78a5d0782f4539675b2078b5c3d05a8a87f6c7289
                                      • Instruction Fuzzy Hash: D2F04C76E482504ECB21965565022F9F7609FA6335F1805BFE948BB242D125889483D8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 911ca4d4ab3ba07ea5ca059d3b1ab862ea577d4766ceac6353a10a515e7e37b4
                                      • Instruction ID: 405a7dfbe61dc8fa08123ac4f5987e170734c7b3212332cd4f585f43e281a6da
                                      • Opcode Fuzzy Hash: 911ca4d4ab3ba07ea5ca059d3b1ab862ea577d4766ceac6353a10a515e7e37b4
                                      • Instruction Fuzzy Hash: 11F050369442469FD7105E5594856D4FBB0EF52661B24139BDC443B750D6219903C6DC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      C-Code - Quality: 100%
                                      			E00416CE0(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
                                      				void* _t7;
                                      				void* _t9;
                                      
                                      				_t9 = __edx;
                                      				_t7 = __ebx;
                                      			}





                                      0x00416ce0
                                      0x00416ce0

                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01771aa3d6c53361ebaddb32c9dfe5d24b77f47642c7b99276dfb207d8a96b17
                                      • Instruction ID: 72bc5802fed5d0f6628a189b08216a4b5bdda3075fc48ea888c64c91cdca44f7
                                      • Opcode Fuzzy Hash: 01771aa3d6c53361ebaddb32c9dfe5d24b77f47642c7b99276dfb207d8a96b17
                                      • Instruction Fuzzy Hash: FCC08073FE9415065F156C3974640B9F768C69716CF10B7F7DC049B0C6E942DC5941CA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000006.00000002.487067255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_SecuriteInfo.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 17037af7997fdc8c9c601f27f5485b2d927f2ab2a9b074440b616b979a4b4259
                                      • Instruction ID: 81e8cdea54504343e58c35000c3c7bc0305b8de42091474836084dd45e7e18a0
                                      • Opcode Fuzzy Hash: 17037af7997fdc8c9c601f27f5485b2d927f2ab2a9b074440b616b979a4b4259
                                      • Instruction Fuzzy Hash: 99C08013E4441516D7154C05B8802B1F790D7C7171F1121B5CA84BB0518511E83D8594
                                      Uniqueness

                                      Uniqueness Score: -1.00%