Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.24194.12957

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.24194.12957 (renamed file extension from 12957 to exe)
Analysis ID:635348
MD5:ac85e260ef18ab08b53e04177e8c04a9
SHA1:1137e2caa9848d3b804fecb01e12624bd5fb62bc
SHA256:0e3a4f080d2ff0bdfa0a7e39df4982232b2d19245e6355e49940c05becfeecc5
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • cleanup
{"C2 list": ["www.commwealth-cba-au.com/smwr/"], "decoy": ["forex.exposed", "benditabrujaastrologia.com", "savannah-e.com", "cssdwljx.com", "floridayachtparty.com", "koru-purple.com", "caddyscholarship.com", "mywinningkidssedallas.com", "operati.club", "kinvuehealth.biz", "littlebearbicycleoutfitters.com", "btcfarsi.com", "poppyteez.com", "roninwallettsmoney.com", "greedyp.one", "kangshifuqwdz.com", "osamirin.xyz", "leaddoggq.com", "cherrypickmerch.com", "myqmetrbs.com", "melonslot.info", "mommyheartstacos.com", "samcsu.xyz", "702slingshots.com", "gnw8.com", "officegame.xyz", "lalunamesa.com", "alignedtalent.tech", "djzemi.com", "anti-tracker-test.com", "estilobank.com", "n4q7.com", "404035.com", "relaxtionary.com", "beastmodewellness.com", "lskdojfjf3k35.com", "mtyapialanya.com", "giftcardpulse.com", "yy6333.com", "sdcychemical.com", "icarusexchange.info", "elementsfunding.com", "199yb.com", "beladicaseofertas.site", "bi11111.com", "esystemhr.com", "tsharedrop.com", "sattlerplastics.site", "walgreensrabenefit.com", "spatula11.com", "sunriseteam.info", "stephensonequipinc.com", "fashionsbyfleur.com", "aiscrofa.com", "shopmeccamarket.com", "physicistlakefront.com", "ivermectinsales.com", "perceptiv.academy", "davidgilbertcarpentryplus.com", "wynn12.com", "medicalofficeinsurance.online", "womenofwildpodcast.com", "neoneuphoria.com", "thedevonlabellady.online"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x11538:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x118d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x3c358:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x3c6f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x66178:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x66512:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1ec75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x49a95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x738b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x1e721:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x49541:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x73361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1ed77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x49b97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x739b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1eeef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x49d0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x73b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x122ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x3d10a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x66f2a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x21149:$sqlite3step: 68 34 1C 7B E1
    • 0x2125c:$sqlite3step: 68 34 1C 7B E1
    • 0x4bf69:$sqlite3step: 68 34 1C 7B E1
    • 0x4c07c:$sqlite3step: 68 34 1C 7B E1
    • 0x75d89:$sqlite3step: 68 34 1C 7B E1
    • 0x75e9c:$sqlite3step: 68 34 1C 7B E1
    • 0x21178:$sqlite3text: 68 38 2A 90 C5
    • 0x2129d:$sqlite3text: 68 38 2A 90 C5
    • 0x4bf98:$sqlite3text: 68 38 2A 90 C5
    • 0x4c0bd:$sqlite3text: 68 38 2A 90 C5
    • 0x75db8:$sqlite3text: 68 38 2A 90 C5
    • 0x75edd:$sqlite3text: 68 38 2A 90 C5
    • 0x2118b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x212b3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x4bfab:$sqlite3blob: 68 53 D8 7F 8C
    • 0x4c0d3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x75dcb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x75ef3:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 11 entries
      SourceRuleDescriptionAuthorStrings
      10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18819:$sqlite3step: 68 34 1C 7B E1
        • 0x1892c:$sqlite3step: 68 34 1C 7B E1
        • 0x18848:$sqlite3text: 68 38 2A 90 C5
        • 0x1896d:$sqlite3text: 68 38 2A 90 C5
        • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
        10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 21 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.commwealth-cba-au.com/smwr/"], "decoy": ["forex.exposed", "benditabrujaastrologia.com", "savannah-e.com", "cssdwljx.com", "floridayachtparty.com", "koru-purple.com", "caddyscholarship.com", "mywinningkidssedallas.com", "operati.club", "kinvuehealth.biz", "littlebearbicycleoutfitters.com", "btcfarsi.com", "poppyteez.com", "roninwallettsmoney.com", "greedyp.one", "kangshifuqwdz.com", "osamirin.xyz", "leaddoggq.com", "cherrypickmerch.com", "myqmetrbs.com", "melonslot.info", "mommyheartstacos.com", "samcsu.xyz", "702slingshots.com", "gnw8.com", "officegame.xyz", "lalunamesa.com", "alignedtalent.tech", "djzemi.com", "anti-tracker-test.com", "estilobank.com", "n4q7.com", "404035.com", "relaxtionary.com", "beastmodewellness.com", "lskdojfjf3k35.com", "mtyapialanya.com", "giftcardpulse.com", "yy6333.com", "sdcychemical.com", "icarusexchange.info", "elementsfunding.com", "199yb.com", "beladicaseofertas.site", "bi11111.com", "esystemhr.com", "tsharedrop.com", "sattlerplastics.site", "walgreensrabenefit.com", "spatula11.com", "sunriseteam.info", "stephensonequipinc.com", "fashionsbyfleur.com", "aiscrofa.com", "shopmeccamarket.com", "physicistlakefront.com", "ivermectinsales.com", "perceptiv.academy", "davidgilbertcarpentryplus.com", "wynn12.com", "medicalofficeinsurance.online", "womenofwildpodcast.com", "neoneuphoria.com", "thedevonlabellady.online"]}
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeVirustotal: Detection: 31%Perma Link
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeReversingLabs: Detection: 26%
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: www.commwealth-cba-au.com/smwr/Avira URL Cloud: Label: phishing
          Source: www.commwealth-cba-au.com/smwr/Virustotal: Detection: 6%Perma Link
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeJoe Sandbox ML: detected
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: IServiceProvi.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.299161872.00000000013D9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.302487104.0000000001710000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.300721098.0000000001577000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.303083966.000000000182F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.299161872.00000000013D9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.302487104.0000000001710000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.300721098.0000000001577000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.303083966.000000000182F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 4x nop then pop edi10_2_0040CA10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 4x nop then pop ebx10_2_00406EA5

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.commwealth-cba-au.com/smwr/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299899600.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.268320197.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276029305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.268320197.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269530321.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlX4
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269072747.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269013352.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269126032.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269174089.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersE
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276091209.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276029305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers_
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269675889.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269723077.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersl#
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269072747.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269013352.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269126032.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.268902046.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269174089.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.270438377.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.306903174.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299986023.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.278971595.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276139218.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.284163429.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276289023.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299899600.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiefRPho
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueTF
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.306903174.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299986023.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.278971595.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276139218.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.284163429.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276289023.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299899600.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comuemQ
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262954837.0000000005C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262954837.0000000005C64000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263269492.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263072140.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263158470.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263201849.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262993160.0000000005C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn7R
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262954837.0000000005C64000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263269492.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263072140.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263158470.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263201849.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262993160.0000000005C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-e
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266268752.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266482682.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266179512.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266268752.0000000005C6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266179512.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266268752.0000000005C6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.7640000.10.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.3e19698.5.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.7640000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.3e19698.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.3de2098.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
          Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.307980794.0000000007640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
          Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.7640000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.3e19698.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.7640000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.3e19698.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.3de2098.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.307980794.0000000007640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
          Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_02BE81D60_2_02BE81D6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_02BE43040_2_02BE4304
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_02BE67500_2_02BE6750
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_02BE67400_2_02BE6740
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E506280_2_05E50628
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E500400_2_05E50040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E5BB800_2_05E5BB80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E54B680_2_05E54B68
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E54B580_2_05E54B58
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E5B7580_2_05E5B758
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 0_2_05E531180_2_05E53118
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0040103010_2_00401030
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041DA0210_2_0041DA02
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041EA3C10_2_0041EA3C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0040928010_2_00409280
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0040DC2010_2_0040DC20
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041DD2310_2_0041DD23
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_00402D9010_2_00402D90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041DE0710_2_0041DE07
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041E7D210_2_0041E7D2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_00402FB010_2_00402FB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A320 NtCreateFile,10_2_0041A320
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A3D0 NtReadFile,10_2_0041A3D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A450 NtClose,10_2_0041A450
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A500 NtAllocateVirtualMemory,10_2_0041A500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A31A NtCreateFile,10_2_0041A31A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A4FA NtAllocateVirtualMemory,10_2_0041A4FA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041A57A NtAllocateVirtualMemory,10_2_0041A57A
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000000.248743064.00000000007BC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIServiceProvi.exe" vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307980794.0000000007640000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.305828857.0000000003DE2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.303791071.00000000019BF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000000.296425380.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIServiceProvi.exe" vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.301089716.0000000001696000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.299295732.00000000014EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.303083966.000000000182F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeBinary or memory string: OriginalFilenameIServiceProvi.exe" vs SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeVirustotal: Detection: 31%
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeReversingLabs: Detection: 26%
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.700000.0.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.700000.0.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.700000.0.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.700000.0.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.9.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.9.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.1.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.1.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.2.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.2.unpack, gH/kD.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: IServiceProvi.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.299161872.00000000013D9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.302487104.0000000001710000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.300721098.0000000001577000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.303083966.000000000182F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.299161872.00000000013D9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.302487104.0000000001710000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000003.300721098.0000000001577000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 0000000A.00000002.303083966.000000000182F000.00000040.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, gH/kD.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.700000.0.unpack, gH/kD.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.700000.0.unpack, gH/kD.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.9.unpack, gH/kD.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.1.unpack, gH/kD.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.ac0000.2.unpack, gH/kD.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041790A push es; retf 10_2_00417912
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_00417185 push es; iretd 10_2_004171B1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041F2D8 push ebp; ret 10_2_0041F2DA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041F2A7 push ebp; ret 10_2_0041F2A8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041D672 push eax; ret 10_2_0041D678
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041D67B push eax; ret 10_2_0041D6E2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041D625 push eax; ret 10_2_0041D678
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_0041D6DC push eax; ret 10_2_0041D6E2
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74063196542
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.302576696.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe PID: 3920, type: MEMORYSTR
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302576696.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302576696.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeRDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeRDTSC instruction interceptor: First address: 0000000000408F9E second address: 0000000000408FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe TID: 6080Thread sleep time: -43731s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe TID: 5288Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_00408ED0 rdtsc 10_2_00408ED0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeThread delayed: delay time: 43731Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeCode function: 10_2_00408ED0 rdtsc 10_2_00408ED0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath Interception111
          Process Injection
          1
          Masquerading
          OS Credential Dumping221
          Security Software Discovery
          Remote Services11
          Archive Collected Data
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools
          LSASS Memory1
          Process Discovery
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Application Layer Protocol
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion
          Security Account Manager31
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
          Process Injection
          NTDS112
          System Information Discovery
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information
          Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing
          DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          SecuriteInfo.com.W32.AIDetectNet.01.24194.exe31%VirustotalBrowse
          SecuriteInfo.com.W32.AIDetectNet.01.24194.exe27%ReversingLabsByteCode-MSIL.Spyware.Noon
          SecuriteInfo.com.W32.AIDetectNet.01.24194.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLinkDownload
          10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.2.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.0.SecuriteInfo.com.W32.AIDetectNet.01.24194.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comueTF0%URL Reputationsafe
          http://www.fontbureau.comuemQ0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.founder.com.cn/cn7R0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          www.commwealth-cba-au.com/smwr/7%VirustotalBrowse
          www.commwealth-cba-au.com/smwr/100%Avira URL Cloudphishing
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/n-u0%URL Reputationsafe
          http://www.fontbureau.comsiefRPho0%Avira URL Cloudsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.founder.com.cn/cnu-e0%Avira URL Cloudsafe
          http://www.fontbureau.comalsd0%URL Reputationsafe
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          www.commwealth-cba-au.com/smwr/true
          • 7%, Virustotal, Browse
          • Avira URL Cloud: phishing
          low
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.fontbureau.comSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299899600.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.fontbureau.com/designersGSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.fontbureau.com/designers/?SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.com/designers~SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.270438377.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.com/designersESecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269072747.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269013352.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269126032.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269174089.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.comueTFSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comuemQSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.306903174.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299986023.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.278971595.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276139218.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.284163429.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276289023.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299899600.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiro.comSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn7RSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262954837.0000000005C64000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263269492.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263072140.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263158470.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263201849.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262993160.0000000005C64000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designersSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.268320197.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276029305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.goodfont.co.krSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266179512.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266268752.0000000005C6B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comaSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.306903174.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299986023.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.278971595.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276139218.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.284163429.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276289023.0000000005C6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.299899600.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comlSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersl#SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269675889.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269723077.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.sajatypeworks.comSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.typography.netDSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/cTheSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://fontfabrik.comSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cnSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262954837.0000000005C64000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designers/frere-user.htmlX4SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269530321.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers_SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276091209.0000000005C9B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.276029305.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266268752.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266482682.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/n-uSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266179512.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.266268752.0000000005C6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.comsiefRPhoSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.comoSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fonts.comSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sandoll.co.krSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleaseSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designerszSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269072747.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269013352.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269126032.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.268902046.0000000005C9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.269174089.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.zhongyicts.com.cnSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sakkal.comSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000002.307326512.0000000006F52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com.TTFSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.268320197.0000000005C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.founder.com.cn/cnu-eSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262954837.0000000005C64000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263269492.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263072140.0000000005C66000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263158470.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.263201849.0000000005C67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.262993160.0000000005C64000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.fontbureau.comalsdSecuriteInfo.com.W32.AIDetectNet.01.24194.exe, 00000000.00000003.271142884.0000000005C6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            No contacted IP infos
                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:635348
                                            Start date and time: 27/05/202219:41:512022-05-27 19:41:51 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 48s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:SecuriteInfo.com.W32.AIDetectNet.01.24194.12957 (renamed file extension from 12957 to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:25
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@3/1@0/0
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 24.8% (good quality ratio 23.5%)
                                            • Quality average: 70.6%
                                            • Quality standard deviation: 30.3%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 31
                                            • Number of non-executed functions: 9
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            TimeTypeDescription
                                            19:43:20API Interceptor1x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.24194.exe modified
                                            No context
                                            No context
                                            No context
                                            No context
                                            No context
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1308
                                            Entropy (8bit):5.345811588615766
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                            MD5:2E016B886BDB8389D2DD0867BE55F87B
                                            SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                            SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                            SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.742642857816063
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
                                            File size:779776
                                            MD5:ac85e260ef18ab08b53e04177e8c04a9
                                            SHA1:1137e2caa9848d3b804fecb01e12624bd5fb62bc
                                            SHA256:0e3a4f080d2ff0bdfa0a7e39df4982232b2d19245e6355e49940c05becfeecc5
                                            SHA512:0311f7aa0c464d0d82b14f56fb116d61414be43621bcb84072795a0760ecb36ecdeacfc4d98444cbf1716caac16a045f0b34aad994ca3bbd02fa9a34ca2e7652
                                            SSDEEP:12288:Moa7mYn3GNG2p0I8WRnyGTd+p2YH0UUO4NQ4mYvZ0obd:Mf7mYWNG80I8W5yGTwp25UUO4C4mYxjd
                                            TLSH:D7F4E06A76679E03C11823B480C2E41407F96107A573E3C76FC761D72B1ABE59EC9B8B
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0......Z........... ........@.. .......................@............@................................
                                            Icon Hash:4462f276dcec30e6
                                            Entrypoint:0x4ba9be
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x6290E388 [Fri May 27 14:43:20 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xba9700x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x57c0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xba9230x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xb89c40xb8a00False0.881581383294data7.74063196542IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xbc0000x57c00x5800False0.964621803977data7.89130545967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0xbc1300x51a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                            RT_GROUP_ICON0xc12d40x14data
                                            RT_VERSION0xc12e80x2ecdata
                                            RT_MANIFEST0xc15d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                            DLLImport
                                            mscoree.dll_CorExeMain
                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyright
                                            Assembly Version1.0.0.0
                                            InternalNameIServiceProvi.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductName
                                            ProductVersion1.0.0.0
                                            FileDescription
                                            OriginalFilenameIServiceProvi.exe
                                            No network behavior found

                                            Click to jump to process

                                            Click to jump to process

                                            Click to dive into process behavior distribution

                                            Click to jump to process

                                            Target ID:0
                                            Start time:19:43:01
                                            Start date:27/05/2022
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe"
                                            Imagebase:0x700000
                                            File size:779776 bytes
                                            MD5 hash:AC85E260EF18AB08B53E04177E8C04A9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.303867401.0000000003C01000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.307980794.0000000007640000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302533701.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302576696.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            Target ID:10
                                            Start time:19:43:23
                                            Start date:27/05/2022
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.24194.exe
                                            Imagebase:0xac0000
                                            File size:779776 bytes
                                            MD5 hash:AC85E260EF18AB08B53E04177E8C04A9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.298671862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.298185679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:10.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:104
                                              Total number of Limit Nodes:8
                                              execution_graph 24258 5e55b16 24260 5e55b07 24258->24260 24259 5e55c7d 24260->24258 24260->24259 24261 5e55ded GetCursorFrameInfo 24260->24261 24261->24260 24196 2be3a98 DuplicateHandle 24197 2be3b2e 24196->24197 24198 2be7ed8 24199 2be7f40 CreateWindowExW 24198->24199 24201 2be7ffc 24199->24201 24262 2be4448 24264 2be4470 24262->24264 24263 2be4498 24264->24263 24266 2be1a20 24264->24266 24267 2be1a2b 24266->24267 24271 2be625f 24267->24271 24276 2be6288 24267->24276 24268 2be4540 24268->24263 24272 2be6282 24271->24272 24273 2be62c5 24272->24273 24281 2be6708 24272->24281 24284 2be66f7 24272->24284 24273->24268 24277 2be629d 24276->24277 24278 2be62c5 24277->24278 24279 2be6708 3 API calls 24277->24279 24280 2be66f7 3 API calls 24277->24280 24278->24268 24279->24278 24280->24278 24282 2be1468 3 API calls 24281->24282 24283 2be6711 24282->24283 24283->24273 24285 2be6708 24284->24285 24286 2be1468 3 API calls 24285->24286 24287 2be6711 24286->24287 24287->24273 24202 5e5e908 24203 5e5ea93 24202->24203 24205 5e5e92e 24202->24205 24205->24203 24208 2be8118 SetWindowLongW 24205->24208 24210 2be8120 SetWindowLongW 24205->24210 24212 5e5a808 24205->24212 24209 2be817f 24208->24209 24209->24205 24211 2be817f 24210->24211 24211->24205 24213 5e5ef90 PostMessageW 24212->24213 24214 5e5effc 24213->24214 24214->24205 24160 2be3870 GetCurrentProcess 24161 2be38ea GetCurrentThread 24160->24161 24162 2be38e3 24160->24162 24163 2be3927 GetCurrentProcess 24161->24163 24164 2be3920 24161->24164 24162->24161 24165 2be395d 24163->24165 24164->24163 24166 2be3985 GetCurrentThreadId 24165->24166 24167 2be39b6 24166->24167 24168 2bee330 24171 2be1468 24168->24171 24170 2bee33e 24177 2be1a48 24171->24177 24181 2be1a50 24171->24181 24172 2be147b 24173 2be148b 24172->24173 24185 2be1af8 24172->24185 24173->24170 24178 2be1a98 GetModuleHandleW 24177->24178 24179 2be1a92 24177->24179 24180 2be1ac5 24178->24180 24179->24178 24180->24172 24182 2be1a98 GetModuleHandleW 24181->24182 24183 2be1a92 24181->24183 24184 2be1ac5 24182->24184 24183->24182 24184->24172 24186 2be1b0c 24185->24186 24187 2be1b31 24186->24187 24189 2be1658 24186->24189 24187->24173 24190 2be1cd8 LoadLibraryExW 24189->24190 24192 2be1d51 24190->24192 24192->24187 24193 2be1370 24195 2be1468 3 API calls 24193->24195 24194 2be137f 24195->24194 24215 2be8090 24216 2be80b6 24215->24216 24219 2be5fd4 24216->24219 24220 2be5fdf 24219->24220 24221 2be8de9 24220->24221 24223 2be8dd9 24220->24223 24224 2be8de7 24221->24224 24244 2be60fc 24221->24244 24228 2be8fdc 24223->24228 24234 2be8f10 24223->24234 24239 2be8f01 24223->24239 24229 2be8f9a 24228->24229 24230 2be8fea 24228->24230 24248 2be8fc8 24229->24248 24251 2be8fb7 24229->24251 24231 2be8fb0 24231->24224 24235 2be8f24 24234->24235 24237 2be8fc8 CallWindowProcW 24235->24237 24238 2be8fb7 CallWindowProcW 24235->24238 24236 2be8fb0 24236->24224 24237->24236 24238->24236 24241 2be8f10 24239->24241 24240 2be8fb0 24240->24224 24242 2be8fc8 CallWindowProcW 24241->24242 24243 2be8fb7 CallWindowProcW 24241->24243 24242->24240 24243->24240 24245 2be6107 24244->24245 24246 2bea52a CallWindowProcW 24245->24246 24247 2bea4d9 24245->24247 24246->24247 24247->24224 24249 2be8fd9 24248->24249 24255 2bea460 24248->24255 24249->24231 24252 2be8fc8 24251->24252 24253 2be8fd9 24252->24253 24254 2bea460 CallWindowProcW 24252->24254 24253->24231 24254->24253 24256 2be60fc CallWindowProcW 24255->24256 24257 2bea47a 24256->24257 24257->24249

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 42 5e5bb80-5e5bba1 43 5e5bba3 42->43 44 5e5bba8-5e5bc9c 42->44 43->44 46 5e5c3a4-5e5c3cc 44->46 47 5e5bca2-5e5bdf9 44->47 50 5e5cab5-5e5cabe 46->50 91 5e5c372-5e5c3a1 47->91 92 5e5bdff-5e5be5a 47->92 51 5e5cac4-5e5cadb 50->51 52 5e5c3da-5e5c3e3 50->52 55 5e5c3e5 52->55 56 5e5c3ea-5e5c4a4 52->56 55->56 70 5e5c4ab-5e5c4cb 56->70 72 5e5c4d1-5e5c4de 70->72 74 5e5c4e0-5e5c4ec 72->74 75 5e5c508 72->75 76 5e5c4f6-5e5c4fc 74->76 77 5e5c4ee-5e5c4f4 74->77 78 5e5c50e-5e5c52e 75->78 80 5e5c506 76->80 77->80 82 5e5c530-5e5c589 78->82 83 5e5c58e-5e5c608 78->83 80->78 95 5e5cab2 82->95 102 5e5c65f-5e5c6a2 83->102 103 5e5c60a-5e5c65d 83->103 91->46 98 5e5be5c 92->98 99 5e5be5f-5e5be6a 92->99 95->50 98->99 104 5e5c284-5e5c28a 99->104 132 5e5c6ad-5e5c6b3 102->132 103->132 105 5e5c290-5e5c30d 104->105 106 5e5be6f-5e5be8d 104->106 149 5e5c35c-5e5c362 105->149 109 5e5bee4-5e5bef9 106->109 110 5e5be8f-5e5be93 106->110 114 5e5bf00-5e5bf16 109->114 115 5e5befb 109->115 110->109 112 5e5be95-5e5bea0 110->112 119 5e5bed6-5e5bedc 112->119 116 5e5bf1d-5e5bf34 114->116 117 5e5bf18 114->117 115->114 121 5e5bf36 116->121 122 5e5bf3b-5e5bf51 116->122 117->116 124 5e5bea2-5e5bea6 119->124 125 5e5bede-5e5bedf 119->125 121->122 129 5e5bf53 122->129 130 5e5bf58-5e5bf5f 122->130 127 5e5beac-5e5bec4 124->127 128 5e5bea8 124->128 131 5e5bf62-5e5c188 125->131 133 5e5bec6 127->133 134 5e5becb-5e5bed3 127->134 128->127 129->130 130->131 140 5e5c1ec-5e5c201 131->140 141 5e5c18a-5e5c18e 131->141 136 5e5c70a-5e5c716 132->136 133->134 134->119 137 5e5c6b5-5e5c6d7 136->137 138 5e5c718-5e5c7a0 136->138 143 5e5c6de-5e5c707 137->143 144 5e5c6d9 137->144 173 5e5c925-5e5c92e 138->173 145 5e5c203 140->145 146 5e5c208-5e5c229 140->146 141->140 148 5e5c190-5e5c19f 141->148 143->136 144->143 145->146 153 5e5c230-5e5c24f 146->153 154 5e5c22b 146->154 155 5e5c1de-5e5c1e4 148->155 151 5e5c364-5e5c36a 149->151 152 5e5c30f-5e5c359 149->152 151->91 152->149 159 5e5c256-5e5c276 153->159 160 5e5c251 153->160 154->153 156 5e5c1e6-5e5c1e7 155->156 157 5e5c1a1-5e5c1a5 155->157 167 5e5c281 156->167 161 5e5c1a7-5e5c1ab 157->161 162 5e5c1af-5e5c1d0 157->162 164 5e5c27d 159->164 165 5e5c278 159->165 160->159 161->162 168 5e5c1d7-5e5c1db 162->168 169 5e5c1d2 162->169 164->167 165->164 167->104 168->155 169->168 175 5e5c7a5-5e5c7ba 173->175 176 5e5c934-5e5c98f 173->176 177 5e5c7c3-5e5c919 175->177 178 5e5c7bc 175->178 191 5e5c9c6-5e5c9f0 176->191 192 5e5c991-5e5c9c4 176->192 196 5e5c91f 177->196 178->177 179 5e5c853-5e5c893 178->179 180 5e5c80e-5e5c84e 178->180 181 5e5c7c9-5e5c809 178->181 182 5e5c898-5e5c8d8 178->182 179->196 180->196 181->196 182->196 200 5e5c9f9-5e5ca66 191->200 192->200 196->173 203 5e5ca6c-5e5ca8c 200->203 204 5e5ca93-5e5caab 203->204 204->95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $h$UUUU
                                              • API String ID: 0-1007802787
                                              • Opcode ID: 80539d65ba67bc3601392561992cf542370ff1a4952539dca760baa0834e7140
                                              • Instruction ID: fd484232bf2a55f160d610bc8bd34ea74a29c0ae7ba8d523d3103d3a12adca9b
                                              • Opcode Fuzzy Hash: 80539d65ba67bc3601392561992cf542370ff1a4952539dca760baa0834e7140
                                              • Instruction Fuzzy Hash: E7A2C375A00228CFDB64CF69C984A99BBB2FF89314F1581E9D50DAB325DB319E81CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78f5e2dbc47b7087fa9b410f09f5f77f45ec560c6658755498971609b0e10b95
                                              • Instruction ID: 49b29b5d3cd25d8d5ef54065de8e641bc5fed7c0bd2cac504bed45c68bf8013d
                                              • Opcode Fuzzy Hash: 78f5e2dbc47b7087fa9b410f09f5f77f45ec560c6658755498971609b0e10b95
                                              • Instruction Fuzzy Hash: 19824D35A04205DFDB14CF68D988AAEBBF2BF48324F159599E88ADB261D730ED41CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ac7adb9e6616e3536a7918679e9ad1cfb1e170e85dd02097012be666c3a88d4
                                              • Instruction ID: abde088c5c052e860828143dc6564b0995f57c6e34f0be24ad2c97d36d91554e
                                              • Opcode Fuzzy Hash: 5ac7adb9e6616e3536a7918679e9ad1cfb1e170e85dd02097012be666c3a88d4
                                              • Instruction Fuzzy Hash: 7CD16D34A04209CFDB15CFA8C988AADBBF2FF88364F549165F845AB261DB30ED41CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 95301a484cc9699b48a0e505f9ef5b21dbf597da1cfa852478757a5e3cdaec06
                                              • Instruction ID: 2a5f996a5adba0dfe73cfc9064a2291c7e72061041a472114f7e781009a9a652
                                              • Opcode Fuzzy Hash: 95301a484cc9699b48a0e505f9ef5b21dbf597da1cfa852478757a5e3cdaec06
                                              • Instruction Fuzzy Hash: 93A1B135E007198FCF14DFA4D8549DEB7B6FF89314F248255E416AB7A4EB30A988CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 02BE38D0
                                              • GetCurrentThread.KERNEL32 ref: 02BE390D
                                              • GetCurrentProcess.KERNEL32 ref: 02BE394A
                                              • GetCurrentThreadId.KERNEL32 ref: 02BE39A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: d9e3e2be5591c40b824fa88b3839b9b0ee1395cf2cc713a5af1960b00bed7a96
                                              • Instruction ID: 2a09a2305f2323c2799b88e9bb08789efc77ba04268d6b68c2f9900a4bab6df2
                                              • Opcode Fuzzy Hash: d9e3e2be5591c40b824fa88b3839b9b0ee1395cf2cc713a5af1960b00bed7a96
                                              • Instruction Fuzzy Hash: FF5127B49007498FDB14CFA9D548BEEBBF0BF48318F148499E41AB7395D7349984CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 02BE38D0
                                              • GetCurrentThread.KERNEL32 ref: 02BE390D
                                              • GetCurrentProcess.KERNEL32 ref: 02BE394A
                                              • GetCurrentThreadId.KERNEL32 ref: 02BE39A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 38de23d93af888350639642d5c0b91ba4eecf0a2a27070fc18dc2d779140aee6
                                              • Instruction ID: 7dbb47bbee4f038ed63f0856462d24324310a0edd0614c13bf4e47d2931fb126
                                              • Opcode Fuzzy Hash: 38de23d93af888350639642d5c0b91ba4eecf0a2a27070fc18dc2d779140aee6
                                              • Instruction Fuzzy Hash: AE5144B49007498FDB14CFA9E548BEEBBF0FB48318F248499E41AB7354D7349884CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 205 5e55b16-5e55b1b 206 5e55b1c-5e55b1d 205->206 207 5e55bb1-5e55bb6 206->207 208 5e55bbd-5e55bdc call 5e53e70 207->208 209 5e55bb8 207->209 212 5e55be2-5e55be3 208->212 213 5e55b0d-5e55b13 208->213 209->208 214 5e55b07-5e55b0a 212->214 213->206 215 5e55b15 213->215 214->213 215->205 215->207 216 5e55e46-5e55e4b 215->216 217 5e55c83-5e55c89 215->217 218 5e55b22-5e55b38 215->218 219 5e55ead-5e55ecb 215->219 220 5e55d28-5e55d6b 215->220 221 5e55be8-5e55bf5 215->221 222 5e55eea-5e55eeb 215->222 223 5e55e75-5e55e9a call 5e53e70 215->223 224 5e55d77-5e55d81 215->224 225 5e55cf7-5e55d1c call 5e53e70 215->225 226 5e55ef0-5e55ef4 215->226 227 5e55c7d-5e55c7e 215->227 228 5e55e3c-5e55e45 215->228 229 5e55c9c-5e55ca9 215->229 230 5e55c1e-5e55c2b 215->230 231 5e55bfa-5e55c07 215->231 235 5e55e52-5e55e69 216->235 236 5e55e4d 216->236 217->224 244 5e55c8f-5e55c97 217->244 239 5e55b3f-5e55b46 218->239 240 5e55b3a 218->240 267 5e55ed2-5e55ee5 219->267 268 5e55ecd 219->268 220->213 286 5e55d71-5e55d72 220->286 221->214 222->217 223->213 266 5e55ea0-5e55ea8 223->266 241 5e55d83 224->241 242 5e55d88-5e55d8f 224->242 225->213 259 5e55d22-5e55d23 225->259 247 5e55e31-5e55e36 226->247 248 5e55efa-5e55efb 226->248 227->228 245 5e55cb0-5e55cb6 229->245 246 5e55cab 229->246 237 5e55c32-5e55c64 230->237 238 5e55c2d 230->238 233 5e55c0e-5e55c19 231->233 234 5e55c09 231->234 233->213 234->233 235->213 271 5e55e6f-5e55e70 235->271 236->235 237->213 282 5e55c6a-5e55c6b 237->282 238->237 251 5e55b4d-5e55b54 239->251 252 5e55b48 239->252 240->239 241->242 253 5e55d96-5e55da2 242->253 254 5e55d91 242->254 244->213 257 5e55cbd-5e55ceb call 5e53e70 245->257 258 5e55cb8 245->258 246->245 247->228 262 5e55b56 251->262 263 5e55b5b-5e55b62 251->263 252->251 264 5e55da4 253->264 265 5e55da9-5e55db8 253->265 254->253 257->213 280 5e55cf1-5e55cf2 257->280 258->257 259->214 262->263 272 5e55b64 263->272 273 5e55b69 263->273 264->265 274 5e55dbf-5e55dc6 265->274 275 5e55dba 265->275 266->213 267->213 268->267 271->214 272->273 283 5e55b73-5e55b7f 273->283 278 5e55dcd-5e55dd8 274->278 279 5e55dc8 274->279 275->274 284 5e55ddf-5e55deb 278->284 285 5e55dda 278->285 279->278 280->214 282->214 295 5e55b85 call 5e55fa1 283->295 296 5e55b85 call 5e55fb0 283->296 287 5e55df2-5e55dfe 284->287 288 5e55ded GetCursorFrameInfo 284->288 285->284 286->214 289 5e55e05-5e55e25 287->289 290 5e55e00 287->290 288->287 289->213 294 5e55e2b-5e55e2c 289->294 290->289 291 5e55b8b-5e55bac 291->213 294->214 295->291 296->291
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d823f5b040463c40b5e2275d9e73a3737fc479ff9cf46e3a5f47116981789e5a
                                              • Instruction ID: 18c079652abe6b7bb1e58abeafd024b59ca270b06bb18f7a147b0187ebd7f4a1
                                              • Opcode Fuzzy Hash: d823f5b040463c40b5e2275d9e73a3737fc479ff9cf46e3a5f47116981789e5a
                                              • Instruction Fuzzy Hash: ACB14F74D042588FDB50DFA8C4487EDBBF2BF4A324F14A06AC859A7341EB349985CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 297 2be7ecd-2be7f3e 298 2be7f49-2be7f50 297->298 299 2be7f40-2be7f46 297->299 300 2be7f5b-2be7f93 298->300 301 2be7f52-2be7f58 298->301 299->298 302 2be7f9b-2be7ffa CreateWindowExW 300->302 301->300 303 2be7ffc-2be8002 302->303 304 2be8003-2be803b 302->304 303->304 308 2be803d-2be8040 304->308 309 2be8048 304->309 308->309 310 2be8049 309->310 310->310
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BE7FEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 91120d3ffea5af84815201d4fab94cf726df8f928d00827d3a1c125b719ce34e
                                              • Instruction ID: a38bfdeba6bb915064cfa71682bf63f9d481a9ad7662d3d384873f718d6f2f09
                                              • Opcode Fuzzy Hash: 91120d3ffea5af84815201d4fab94cf726df8f928d00827d3a1c125b719ce34e
                                              • Instruction Fuzzy Hash: C651BEB5D002499FDF14CF99C884ADEBBB5FF48314F24862AE419AB210D7749985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 2be7ed8-2be7f3e 312 2be7f49-2be7f50 311->312 313 2be7f40-2be7f46 311->313 314 2be7f5b-2be7ffa CreateWindowExW 312->314 315 2be7f52-2be7f58 312->315 313->312 317 2be7ffc-2be8002 314->317 318 2be8003-2be803b 314->318 315->314 317->318 322 2be803d-2be8040 318->322 323 2be8048 318->323 322->323 324 2be8049 323->324 324->324
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BE7FEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 80dbffcfa5b05b695913b81d686cf0c41e1f1f57c115165170d0ccc0e1f9e268
                                              • Instruction ID: b56efda77937a2371952c0b4355e65513c2a71f1db937f1b118dbdb3dd28de63
                                              • Opcode Fuzzy Hash: 80dbffcfa5b05b695913b81d686cf0c41e1f1f57c115165170d0ccc0e1f9e268
                                              • Instruction Fuzzy Hash: 6441BDB1D003499FDF14CF99C884ADEBBB5FF88314F24862AE819AB210D7749885CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 325 2be60fc-2bea4cc 328 2bea57c-2bea59c call 2be5fd4 325->328 329 2bea4d2-2bea4d7 325->329 336 2bea59f-2bea5ac 328->336 331 2bea52a-2bea562 CallWindowProcW 329->331 332 2bea4d9-2bea510 329->332 334 2bea56b-2bea57a 331->334 335 2bea564-2bea56a 331->335 339 2bea519-2bea528 332->339 340 2bea512-2bea518 332->340 334->336 335->334 339->336 340->339
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 02BEA551
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 41651d9c94311bb26438eaa5ce065eed534504312d8ec2f13681ad3606b7293e
                                              • Instruction ID: 6973119742b98aeeb319a9fcafbe295f95b2ebe71bec24fb4cbcb231cb595ace
                                              • Opcode Fuzzy Hash: 41651d9c94311bb26438eaa5ce065eed534504312d8ec2f13681ad3606b7293e
                                              • Instruction Fuzzy Hash: FD4117B4A00205CFDB14CF59C488AAABBF9FF88314F15C499E51AAB321D774E845CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 342 2be3a90-2be3b2c DuplicateHandle 343 2be3b2e-2be3b34 342->343 344 2be3b35-2be3b52 342->344 343->344
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BE3B1F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: d8acae9adf8e70256644e5eacf6c45b839ec939a3bfbe88c1a392a6983c4a298
                                              • Instruction ID: c5aed66e915b3ad2ccf68ef59f64fc31d5262ea916a14730a2bb928f0bccffc6
                                              • Opcode Fuzzy Hash: d8acae9adf8e70256644e5eacf6c45b839ec939a3bfbe88c1a392a6983c4a298
                                              • Instruction Fuzzy Hash: 8A2103B5D002499FCB10CFA9D984AEEBBF4FB48324F14845AE919A3310D378A955CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 347 2be3a98-2be3b2c DuplicateHandle 348 2be3b2e-2be3b34 347->348 349 2be3b35-2be3b52 347->349 348->349
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BE3B1F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 593cb866f5431ac5f27246f53f720dbc20a0a884435ddcab26f2569a968d2ff0
                                              • Instruction ID: b96c5b7d901155e465507ba7f0ef7f7f5965ce57d8a9ec3c6ea931de70a57350
                                              • Opcode Fuzzy Hash: 593cb866f5431ac5f27246f53f720dbc20a0a884435ddcab26f2569a968d2ff0
                                              • Instruction Fuzzy Hash: FD21D8B59002499FDF10CFA9D984AEEBBF4FB48314F14845AE915B3350D374A954CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 352 2be1658-2be1d18 354 2be1d1a-2be1d1d 352->354 355 2be1d20-2be1d4f LoadLibraryExW 352->355 354->355 356 2be1d58-2be1d75 355->356 357 2be1d51-2be1d57 355->357 357->356
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BE1B31,00000800,00000000,00000000), ref: 02BE1D42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 6e7bca0d230189c988f3be90ee3f1fcf0913775ca00e90bcac95fdc18294a789
                                              • Instruction ID: 4250f173d8929fa27bc10b07cc93ad150eac6985bd2aeaf68b7b19b4c3acef47
                                              • Opcode Fuzzy Hash: 6e7bca0d230189c988f3be90ee3f1fcf0913775ca00e90bcac95fdc18294a789
                                              • Instruction Fuzzy Hash: B61114B69003489FCB10CF9AD444ADEFBF4EB88314F14846AD51AB7600C774A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 360 2be1cd0-2be1d18 361 2be1d1a-2be1d1d 360->361 362 2be1d20-2be1d4f LoadLibraryExW 360->362 361->362 363 2be1d58-2be1d75 362->363 364 2be1d51-2be1d57 362->364 364->363
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BE1B31,00000800,00000000,00000000), ref: 02BE1D42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: a4ab81b5be4d424d8d2574089958f92dd2ddc8a488a9013c9786624ec8f38e28
                                              • Instruction ID: 0ec39c2bc0f9b97228c927475e4bdc6adbf088d55eb2e78ac8d58c9f8d7d8b7b
                                              • Opcode Fuzzy Hash: a4ab81b5be4d424d8d2574089958f92dd2ddc8a488a9013c9786624ec8f38e28
                                              • Instruction Fuzzy Hash: 8E2106B6D002498FCB10CF9AD484ADEBBF4EF88314F14855AD419A7600C775A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 367 2be1a48-2be1a90 368 2be1a98-2be1ac3 GetModuleHandleW 367->368 369 2be1a92-2be1a95 367->369 370 2be1acc-2be1ae0 368->370 371 2be1ac5-2be1acb 368->371 369->368 371->370
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02BE1AB6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 405e093301f6f633065c35ab6b6f35e3e023f263161f4f33f5895e1dadb9cbc0
                                              • Instruction ID: 0b9b090ac7e0977fc373af4b3adf4346863cd1caca9e6c2dd3fc9790222bb8be
                                              • Opcode Fuzzy Hash: 405e093301f6f633065c35ab6b6f35e3e023f263161f4f33f5895e1dadb9cbc0
                                              • Instruction Fuzzy Hash: BD11F0B6D002498FCB10CF9AD544ADEBBF4AB88324F14855AD429B7610C378A985CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 373 2be1a50-2be1a90 374 2be1a98-2be1ac3 GetModuleHandleW 373->374 375 2be1a92-2be1a95 373->375 376 2be1acc-2be1ae0 374->376 377 2be1ac5-2be1acb 374->377 375->374 377->376
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02BE1AB6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 94d9d763c18c0f645470796a37990d062aaadc1d1dc731259a8847d2605d77fb
                                              • Instruction ID: 44d3f1bd9c918749f0b92a0e2126b58849ef3878cc7f7b4f3f7b0d4bfd7075ce
                                              • Opcode Fuzzy Hash: 94d9d763c18c0f645470796a37990d062aaadc1d1dc731259a8847d2605d77fb
                                              • Instruction Fuzzy Hash: 6011DFB6D006498FCB10CF9AD844AEEFBF4EB88224F14855AD429B7600D379A585CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 379 5e5a808-5e5effa PostMessageW 381 5e5f003-5e5f017 379->381 382 5e5effc-5e5f002 379->382 382->381
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05E5EFED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: f803d6dc124b39d2e252b813998de19fa60927c6545aa947b0d4f54dc4456b32
                                              • Instruction ID: cfb1012605baab391235a4d154dd009b41090373c8501a484c924dc12cdbb9c8
                                              • Opcode Fuzzy Hash: f803d6dc124b39d2e252b813998de19fa60927c6545aa947b0d4f54dc4456b32
                                              • Instruction Fuzzy Hash: 421103B58043489FDB10DF99D889BDEBBF8FB48324F148459E959A7300D375AA84CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 384 5e5ef89-5e5effa PostMessageW 386 5e5f003-5e5f017 384->386 387 5e5effc-5e5f002 384->387 387->386
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05E5EFED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 1592e06829b7d1332f7f27824105f38c2f8d8332a735fa58bb42628898cfbdcc
                                              • Instruction ID: 39f03bd3d2454f03cfca8edf3de05994684ad9ca32f667de112cd4a9a235e1cd
                                              • Opcode Fuzzy Hash: 1592e06829b7d1332f7f27824105f38c2f8d8332a735fa58bb42628898cfbdcc
                                              • Instruction Fuzzy Hash: 651103B68003499FDB10CF99D885BDEBBF8FB48324F148419E855A7300D374A684CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 02BE817D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: b840c9b4a13a3afae4dc1c8e0e23634c12aaa19c91c90e1cf64d73050e1d5a68
                                              • Instruction ID: 9bc1bce4cdf4d89ad1f964ce845bf81cf70da7aaa4bf00a7e299c71509399442
                                              • Opcode Fuzzy Hash: b840c9b4a13a3afae4dc1c8e0e23634c12aaa19c91c90e1cf64d73050e1d5a68
                                              • Instruction Fuzzy Hash: F31133B59002488FCB10CF99D988BDFBBF8EB48324F14841AE819B7740C374A984CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 02BE817D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 76686c039b014b4d95eeb4fa6e9fdc4c19acff68cab097277fa8f5e8f831402a
                                              • Instruction ID: 6a5c315eb2b6960f394c2e408b0e5ca75a9bc2396bc3427807591e917e99c7a6
                                              • Opcode Fuzzy Hash: 76686c039b014b4d95eeb4fa6e9fdc4c19acff68cab097277fa8f5e8f831402a
                                              • Instruction Fuzzy Hash: 5F1115B59003488FDB10CF99D984BDFBBF8EB48324F14845AD919A3740C374A984CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 981c02ba5b57e79ac9ceb669e9af33f44924df099b8b8a2f3c3db2ef4684f798
                                              • Instruction ID: 05e4fd747796c9afdf9d6cc2b5034b8e6853e3d5248801c38dcde83e3afd27fd
                                              • Opcode Fuzzy Hash: 981c02ba5b57e79ac9ceb669e9af33f44924df099b8b8a2f3c3db2ef4684f798
                                              • Instruction Fuzzy Hash: 0F12DDF14117458BE3BACF65E5981893B63B745328F50422AD2713BAD9D7BC11CACF48
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e07b3b2dcc3ea83cb800959dbbbcd1357903617f57c10088c0b1a6f8f850f354
                                              • Instruction ID: ddf964f75e7cd6e27d27bb6abf33b4bef81b0bdc2b65b0ee4ea1a9202b105b97
                                              • Opcode Fuzzy Hash: e07b3b2dcc3ea83cb800959dbbbcd1357903617f57c10088c0b1a6f8f850f354
                                              • Instruction Fuzzy Hash: 1CD1F830C2065A8ACB00EF64D990ADDB7B1FF96304F61879AE44977665EF706AC8CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c824ec96a15d1b531469d4d413b02c47f23064c2183929ef70ba3db0f5097bc
                                              • Instruction ID: a9d1bac18bb907d4f064437b7895d9ab749b96c53c9f9f720f7a35434d69f243
                                              • Opcode Fuzzy Hash: 0c824ec96a15d1b531469d4d413b02c47f23064c2183929ef70ba3db0f5097bc
                                              • Instruction Fuzzy Hash: 30A17D32E002098FCF15DFB5D8849DEB7B2FF84304B1585AAE916AB260EB71A955CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d34664bdaf52c6c9fa2bae8731611d43b5f5e0f8b75fbece60be03f9b8c32d7
                                              • Instruction ID: 9b0a85d6fd2c7f17e145c3c726a55c3dc2b5c5eac053b667e3059dc99fe1dd38
                                              • Opcode Fuzzy Hash: 7d34664bdaf52c6c9fa2bae8731611d43b5f5e0f8b75fbece60be03f9b8c32d7
                                              • Instruction Fuzzy Hash: 02D1F830C2065A8ACB10EF64D990ADDB3B1FF96304F61879AE54977664EF706AC8CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a7b84c9f0f7fe5bb9548a444549243776040c99ecfccb1c978a2a3aecc124517
                                              • Instruction ID: 7b189b4fdb519a5b2e26615e9fbb95116fe3c93d6c29d2b26b2092c222c21ae4
                                              • Opcode Fuzzy Hash: a7b84c9f0f7fe5bb9548a444549243776040c99ecfccb1c978a2a3aecc124517
                                              • Instruction Fuzzy Hash: 03819134B042188FCB08DF7898556BE7AB7AFC8714B059C2EE656E7388DF34980587A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.302241314.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2be0000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0985e3462580a0415954afba827312d0b1aa93a955bcffd07a5ab33b9c95abf
                                              • Instruction ID: c53cf31eaa878bc1634b9cb5739784d5da48e24c0b66125dfc12297e2b9e1e90
                                              • Opcode Fuzzy Hash: c0985e3462580a0415954afba827312d0b1aa93a955bcffd07a5ab33b9c95abf
                                              • Instruction Fuzzy Hash: 6AC11EB18117458BE7AACF65E9841893B73FB85328F50432AD2717B6D8D7B814CACF48
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000000.00000002.307064040.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e50000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a8f4759f3cc9f5d993a0eaa1a0e53e772df7ff64b1f87fe0bfed443eb8023137
                                              • Instruction ID: d1149eff40bb58b13f38ed00b2f0af34646214fa0ba21c6ba3365952a60406f7
                                              • Opcode Fuzzy Hash: a8f4759f3cc9f5d993a0eaa1a0e53e772df7ff64b1f87fe0bfed443eb8023137
                                              • Instruction Fuzzy Hash: D2615E70E042888FD748EF6AE85168E7BF2EB89308F05D829D004EB768EF7559458F65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:3.3%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:3.8%
                                              Total number of Nodes:338
                                              Total number of Limit Nodes:31
                                              execution_graph 16566 41f300 16569 41b9e0 16566->16569 16568 41f30b 16570 41ba06 16569->16570 16577 409160 16570->16577 16572 41ba12 16576 41ba4b 16572->16576 16583 40d770 16572->16583 16574 41ba27 16593 40ac10 16574->16593 16576->16568 16607 4090b0 16577->16607 16579 409174 16579->16572 16580 40916d 16580->16579 16614 40d570 16580->16614 16584 40d79c 16583->16584 16843 40d680 16584->16843 16587 40d7e1 16590 40d7f2 16587->16590 16592 41a450 NtClose 16587->16592 16588 40d7c9 16589 40d7d4 16588->16589 16591 41a450 NtClose 16588->16591 16589->16574 16590->16574 16591->16589 16592->16590 16594 40ac35 16593->16594 16606 40ae95 16594->16606 16847 407e10 16594->16847 16596 40ad98 16597 41bef0 RtlFreeHeap 16596->16597 16599 40ada5 16597->16599 16598 40ad3b 16598->16596 16600 40ade2 16598->16600 16603 40adf2 16598->16603 16598->16606 16599->16576 16601 41bef0 RtlFreeHeap 16600->16601 16602 40ade9 16601->16602 16602->16576 16603->16596 16604 40ae71 16603->16604 16605 41bef0 RtlFreeHeap 16604->16605 16605->16606 16606->16576 16609 4090c3 16607->16609 16608 4090d6 16608->16580 16609->16608 16618 41b320 16609->16618 16611 409113 16611->16608 16627 408ed0 16611->16627 16613 409133 16613->16580 16616 40d589 16614->16616 16615 409185 16615->16572 16616->16615 16617 41a450 NtClose 16616->16617 16617->16615 16619 41b339 16618->16619 16630 4156a0 16619->16630 16621 41b351 16622 41b35a 16621->16622 16659 41b160 16621->16659 16622->16611 16624 41b36e 16624->16622 16670 41bef0 16624->16670 16629 408eea 16627->16629 16836 407210 16627->16836 16629->16613 16631 4156b4 16630->16631 16634 4157c3 16630->16634 16631->16634 16673 41a320 16631->16673 16633 415807 16635 41bef0 RtlFreeHeap 16633->16635 16634->16621 16636 415813 16635->16636 16636->16634 16637 415999 16636->16637 16638 4159af 16636->16638 16643 4158a2 16636->16643 16639 41a450 NtClose 16637->16639 16731 4153e0 16638->16731 16640 4159a0 16639->16640 16640->16621 16642 4159c2 16642->16621 16644 415909 16643->16644 16645 4158b1 16643->16645 16644->16637 16651 41591c 16644->16651 16646 4158b6 16645->16646 16647 4158ca 16645->16647 16718 4152a0 16646->16718 16649 4158e7 16647->16649 16650 4158cf 16647->16650 16649->16640 16686 415060 16649->16686 16676 415340 16650->16676 16728 41a450 16651->16728 16652 4158c0 16652->16621 16654 4158dd 16654->16621 16657 4158ff 16657->16621 16658 415988 16658->16621 16660 41b17b 16659->16660 16661 41b18d 16660->16661 16777 41be70 16660->16777 16661->16624 16663 41b1ad 16780 414cc0 16663->16780 16665 41b1d0 16665->16661 16666 414cc0 2 API calls 16665->16666 16668 41b1f2 16666->16668 16668->16661 16805 415fe0 16668->16805 16669 41b27a 16669->16624 16671 41b3c9 16670->16671 16833 41a630 16670->16833 16671->16611 16674 41a33c NtCreateFile 16673->16674 16758 41af70 16673->16758 16674->16633 16677 41535c 16676->16677 16678 415384 16677->16678 16679 415398 16677->16679 16680 41a450 NtClose 16678->16680 16681 41a450 NtClose 16679->16681 16682 41538d 16680->16682 16683 4153a1 16681->16683 16682->16654 16760 41c100 16683->16760 16685 4153ac 16685->16654 16687 4150ab 16686->16687 16688 4150de 16686->16688 16690 41a450 NtClose 16687->16690 16689 4150fa 16688->16689 16692 415229 16688->16692 16693 415131 16689->16693 16694 41511c 16689->16694 16691 4150cf 16690->16691 16691->16657 16698 41a450 NtClose 16692->16698 16696 415136 16693->16696 16697 41514c 16693->16697 16695 41a450 NtClose 16694->16695 16699 415125 16695->16699 16700 41a450 NtClose 16696->16700 16705 415151 16697->16705 16766 41c0c0 16697->16766 16701 415289 16698->16701 16699->16657 16702 41513f 16700->16702 16701->16657 16702->16657 16707 415163 16705->16707 16769 41a3d0 16705->16769 16706 4151b7 16708 4151d5 16706->16708 16709 4151ea 16706->16709 16707->16657 16711 41a450 NtClose 16708->16711 16710 41a450 NtClose 16709->16710 16712 4151f3 16710->16712 16711->16707 16713 41521f 16712->16713 16772 41bcc0 16712->16772 16713->16657 16715 41520a 16716 41bef0 RtlFreeHeap 16715->16716 16717 415213 16716->16717 16717->16657 16719 4152dd 16718->16719 16720 4152e4 16719->16720 16722 4152f8 16719->16722 16721 41a450 NtClose 16720->16721 16723 4152ed 16721->16723 16724 41a450 NtClose 16722->16724 16723->16652 16725 415322 16724->16725 16726 41a450 NtClose 16725->16726 16727 41532c 16726->16727 16727->16652 16729 41af70 16728->16729 16730 41a46c NtClose 16729->16730 16730->16658 16732 41541e 16731->16732 16733 415427 16732->16733 16734 41543c 16732->16734 16735 41a450 NtClose 16733->16735 16736 415460 16734->16736 16737 4154aa 16734->16737 16738 415430 16735->16738 16743 41a450 NtClose 16736->16743 16739 4154f0 16737->16739 16740 4154af 16737->16740 16738->16642 16741 41562a 16739->16741 16742 415502 16739->16742 16740->16738 16744 41a3d0 NtReadFile 16740->16744 16741->16738 16749 41a3d0 NtReadFile 16741->16749 16746 415507 16742->16746 16754 415542 16742->16754 16743->16738 16745 4154da 16744->16745 16747 41a450 NtClose 16745->16747 16750 41a450 NtClose 16746->16750 16748 4154e3 16747->16748 16748->16642 16751 415681 16749->16751 16752 415533 16750->16752 16753 41a450 NtClose 16751->16753 16752->16642 16755 41568a 16753->16755 16754->16738 16756 41a450 NtClose 16754->16756 16755->16642 16757 415575 16756->16757 16757->16642 16759 41af7f 16758->16759 16759->16674 16762 41c11a 16760->16762 16763 41a5f0 16760->16763 16762->16685 16764 41af70 16763->16764 16765 41a60c RtlAllocateHeap 16764->16765 16765->16762 16767 41a5f0 RtlAllocateHeap 16766->16767 16768 41c0d8 16767->16768 16768->16705 16770 41af70 16769->16770 16771 41a3ec NtReadFile 16770->16771 16771->16706 16773 41bce4 16772->16773 16774 41bccd 16772->16774 16773->16715 16774->16773 16775 41c0c0 RtlAllocateHeap 16774->16775 16776 41bcfb 16775->16776 16776->16715 16778 41be9d 16777->16778 16816 41a500 16777->16816 16778->16663 16781 414cd1 16780->16781 16782 414cd9 16780->16782 16781->16665 16804 414fac 16782->16804 16819 41d0a0 16782->16819 16784 414d2d 16785 41d0a0 RtlAllocateHeap 16784->16785 16788 414d38 16785->16788 16786 414d86 16789 41d0a0 RtlAllocateHeap 16786->16789 16788->16786 16824 41d140 16788->16824 16790 414d9a 16789->16790 16791 41d0a0 RtlAllocateHeap 16790->16791 16793 414e0d 16791->16793 16792 41d0a0 RtlAllocateHeap 16799 414e55 16792->16799 16793->16792 16796 41d100 RtlFreeHeap 16797 414f8e 16796->16797 16798 41d100 RtlFreeHeap 16797->16798 16800 414f98 16798->16800 16830 41d100 16799->16830 16801 41d100 RtlFreeHeap 16800->16801 16802 414fa2 16801->16802 16803 41d100 RtlFreeHeap 16802->16803 16803->16804 16804->16665 16806 415ff1 16805->16806 16807 4156a0 5 API calls 16806->16807 16812 416007 16807->16812 16808 416010 16808->16669 16809 416047 16810 41bef0 RtlFreeHeap 16809->16810 16811 416058 16810->16811 16811->16669 16812->16808 16812->16809 16813 416093 16812->16813 16814 41bef0 RtlFreeHeap 16813->16814 16815 416098 16814->16815 16815->16669 16817 41a515 16816->16817 16818 41a51c NtAllocateVirtualMemory 16817->16818 16818->16778 16820 41d0b0 16819->16820 16821 41d0b6 16819->16821 16820->16784 16822 41c0c0 RtlAllocateHeap 16821->16822 16823 41d0dc 16822->16823 16823->16784 16825 41d165 16824->16825 16829 41d19d 16824->16829 16826 41c0c0 RtlAllocateHeap 16825->16826 16827 41d17a 16826->16827 16828 41bef0 RtlFreeHeap 16827->16828 16828->16829 16829->16788 16831 414f84 16830->16831 16832 41bef0 RtlFreeHeap 16830->16832 16831->16796 16832->16831 16834 41af70 16833->16834 16835 41a64c RtlFreeHeap 16834->16835 16835->16671 16837 407220 16836->16837 16838 40721b 16836->16838 16839 41be70 NtAllocateVirtualMemory 16837->16839 16838->16629 16840 407245 16839->16840 16841 4072a8 16840->16841 16842 41be70 NtAllocateVirtualMemory 16840->16842 16841->16629 16842->16840 16844 40d69a 16843->16844 16846 40d750 16843->16846 16845 41a450 NtClose 16844->16845 16845->16846 16846->16587 16846->16588 16848 407e2e 16847->16848 16857 407ed2 16847->16857 16849 407210 NtAllocateVirtualMemory 16848->16849 16855 407e38 16849->16855 16850 407210 NtAllocateVirtualMemory 16858 407efd 16850->16858 16853 407fba 16853->16598 16855->16857 16860 407b10 16855->16860 16856 407b10 6 API calls 16856->16858 16857->16850 16857->16853 16859 407f92 16857->16859 16858->16856 16858->16859 16859->16853 16881 40da70 16859->16881 16863 407b35 16860->16863 16861 407b89 16861->16855 16862 407c0a 16908 40d950 16862->16908 16863->16861 16863->16862 16867 407bb8 16863->16867 16866 407c36 16866->16855 16867->16866 16888 40af10 16867->16888 16869 407c2c 16871 41a450 NtClose 16869->16871 16870 407bd2 16870->16866 16900 407940 16870->16900 16871->16866 16872 407c42 16874 40af10 NtClose 16872->16874 16876 407c8d 16874->16876 16875 407c00 16875->16855 16876->16866 16877 41a450 NtClose 16876->16877 16878 407ce5 16877->16878 16912 407710 16878->16912 16880 407cf9 16880->16855 16882 40da95 16881->16882 16883 407510 5 API calls 16882->16883 16886 40dab9 16883->16886 16884 407fb0 16884->16598 16885 4156a0 5 API calls 16885->16886 16886->16884 16886->16885 16887 41bef0 RtlFreeHeap 16886->16887 16887->16886 16889 40af3b 16888->16889 16890 40afe3 16889->16890 16891 40afcc 16889->16891 16892 40afef 16889->16892 16890->16870 16893 41a450 NtClose 16891->16893 16894 40b059 16892->16894 16895 40b039 16892->16895 16893->16890 16898 41a450 NtClose 16894->16898 16896 41a450 NtClose 16895->16896 16897 40b046 16896->16897 16897->16870 16899 40b075 16898->16899 16899->16870 16901 407956 16900->16901 16919 419840 16901->16919 16903 40796f 16907 407a83 16903->16907 16938 407510 16903->16938 16905 407a55 16906 407710 5 API calls 16905->16906 16905->16907 16906->16907 16907->16875 16909 40d994 16908->16909 16910 41a450 NtClose 16909->16910 16911 407c25 16909->16911 16910->16911 16911->16869 16911->16872 16914 407739 16912->16914 16913 4077d7 16913->16880 16914->16913 16915 41a450 NtClose 16914->16915 16916 40780a 16915->16916 16916->16913 16917 4156a0 5 API calls 16916->16917 16918 407928 16917->16918 16918->16880 16920 41c0c0 RtlAllocateHeap 16919->16920 16921 419857 16920->16921 16945 408760 16921->16945 16923 419872 16924 4198b0 16923->16924 16925 419899 16923->16925 16928 41be70 NtAllocateVirtualMemory 16924->16928 16926 41bef0 RtlFreeHeap 16925->16926 16927 4198a6 16926->16927 16927->16903 16929 4198ea 16928->16929 16930 41be70 NtAllocateVirtualMemory 16929->16930 16931 419903 16930->16931 16932 419b90 16931->16932 16935 419ba4 16931->16935 16933 41bef0 RtlFreeHeap 16932->16933 16934 419b9a 16933->16934 16934->16903 16936 41bef0 RtlFreeHeap 16935->16936 16937 419bf9 16936->16937 16937->16903 16939 40760f 16938->16939 16940 407525 16938->16940 16939->16905 16940->16939 16941 4156a0 5 API calls 16940->16941 16942 407592 16941->16942 16943 41bef0 RtlFreeHeap 16942->16943 16944 4075b9 16942->16944 16943->16944 16944->16905 16946 408785 16945->16946 16948 4087dd 16946->16948 16949 40b940 16946->16949 16948->16923 16951 40b96c 16949->16951 16950 40b98c 16950->16948 16951->16950 16952 41a450 NtClose 16951->16952 16953 40b9ea 16952->16953 16953->16948

                                              Control-flow Graph

                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B1AD,?,0041B1AD,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A539
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: e851530ecd666a3219d7824d03f1c4c01da60fba56c2d333e214ea9ced32847e
                                              • Instruction ID: aa27d9da4c2f25ec483a1e5874ae80fa27c200a9ba5aac81ef16f99bc37b1bb3
                                              • Opcode Fuzzy Hash: e851530ecd666a3219d7824d03f1c4c01da60fba56c2d333e214ea9ced32847e
                                              • Instruction Fuzzy Hash: 0A0104B5200108AFDB04DF99DC85DEB77A9AF88268B108109B90897202C634E9218BF1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 96 41a31a-41a371 call 41af70 NtCreateFile
                                              C-Code - Quality: 53%
                                              			E0041A31A(void* __eax, void* __ecx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
                                              				intOrPtr _v0;
                                              				long _t24;
                                              
                                              				_pop(_t32);
                                              				_push(cs);
                                              				asm("fistp qword [esi-0x741374ab]");
                                              				_t18 = _v0;
                                              				_t4 = _t18 + 0xc5c; // 0xc5c
                                              				E0041AF70( *((intOrPtr*)(_v0 + 0x14)), _t18, _t4,  *((intOrPtr*)(_v0 + 0x14)), 0, 0x28);
                                              				_t24 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
                                              				return _t24;
                                              			}





                                              0x0041a31a
                                              0x0041a31d
                                              0x0041a31e
                                              0x0041a323
                                              0x0041a32f
                                              0x0041a337
                                              0x0041a36d
                                              0x0041a371

                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A36D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 45428ed4da9dd6da7928225fc5a53e00042f8c47e2469d39ea427889f968ab6a
                                              • Instruction ID: 1b44c7ff4bde081d1c3ea9e68ae291f3e754f6bb09c827ec3ed19d6487fc3aa2
                                              • Opcode Fuzzy Hash: 45428ed4da9dd6da7928225fc5a53e00042f8c47e2469d39ea427889f968ab6a
                                              • Instruction Fuzzy Hash: 320114B2204109AFCB49DF98DC84CEB77A9EF8C314B04865CF95897201D630E851CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 99 41a320-41a336 100 41a33c-41a371 NtCreateFile 99->100 101 41a337 call 41af70 99->101 101->100
                                              C-Code - Quality: 100%
                                              			E0041A320(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
                                              				long _t21;
                                              
                                              				_t3 = _a4 + 0xc5c; // 0xc5c
                                              				E0041AF70( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
                                              				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
                                              				return _t21;
                                              			}




                                              0x0041a32f
                                              0x0041a337
                                              0x0041a36d
                                              0x0041a371

                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A36D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
                                              • Instruction ID: a2aaebe10041835da89b7de23d426bb534e4eab43eabe5d401869e8ba4a1940d
                                              • Opcode Fuzzy Hash: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
                                              • Instruction Fuzzy Hash: FEF06DB6215208AFCB48DF89DC85EEB77ADAF8C754F118248BA0997251D630F8518BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 102 41a3d0-41a419 call 41af70 NtReadFile
                                              C-Code - Quality: 37%
                                              			E0041A3D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
                                              				void* _t18;
                                              				intOrPtr* _t27;
                                              
                                              				_t13 = _a4;
                                              				_t27 = _a4 + 0xc64;
                                              				E0041AF70( *((intOrPtr*)(_t13 + 0x14)), _t13, _t27,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
                                              				_t18 =  *((intOrPtr*)( *_t27))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
                                              				return _t18;
                                              			}





                                              0x0041a3d3
                                              0x0041a3df
                                              0x0041a3e7
                                              0x0041a415
                                              0x0041a419

                                              APIs
                                              • NtReadFile.NTDLL(004159C2,5DA515B3,FFFFFFFF,00415681,?,?,004159C2,?,00415681,FFFFFFFF,5DA515B3,004159C2,?,00000000), ref: 0041A415
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
                                              • Instruction ID: 779a587cf63d30236cb0bbdb99b63125838c179a486f17d262a5a2bfd3bb36b4
                                              • Opcode Fuzzy Hash: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
                                              • Instruction Fuzzy Hash: 15F0A4B6200208ABCB14DF99DC85EEB77ADAF8C754F118249BA0D97251D630E811CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 105 41a4fa-41a53d call 41af70 NtAllocateVirtualMemory
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B1AD,?,0041B1AD,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A539
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: 763b75df4ea9a93642de08bb31a889adb92901fb6c4ca084ece2465f2162bacc
                                              • Instruction ID: 8287ed5d9f1b39e455a0af290562abda46d25851da86bf1a731b4000a40ad509
                                              • Opcode Fuzzy Hash: 763b75df4ea9a93642de08bb31a889adb92901fb6c4ca084ece2465f2162bacc
                                              • Instruction Fuzzy Hash: BBF085B2200108AFDB18DF99DC84EEB77A9EF8C358F008149FA0C9B241C630E810CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 109 41a500-41a53d call 41af70 NtAllocateVirtualMemory
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B1AD,?,0041B1AD,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A539
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
                                              • Instruction ID: 44bf95e658cca290f27d383d2d8ad6e73610bd7c98e0f9e069b1e3542d92265d
                                              • Opcode Fuzzy Hash: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
                                              • Instruction Fuzzy Hash: 6CF015B6210208ABDB14DF89DC81EEB77ADAF8C754F018109BE0897241C630F811CBB4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 119 41a450-41a479 call 41af70 NtClose
                                              C-Code - Quality: 100%
                                              			E0041A450(intOrPtr _a4, void* _a8) {
                                              				long _t8;
                                              
                                              				_t5 = _a4;
                                              				_t2 = _t5 + 0x14; // 0x56c29f0f
                                              				_t3 = _t5 + 0xc6c; // 0x409d7f
                                              				E0041AF70( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
                                              				_t8 = NtClose(_a8); // executed
                                              				return _t8;
                                              			}




                                              0x0041a453
                                              0x0041a456
                                              0x0041a45f
                                              0x0041a467
                                              0x0041a475
                                              0x0041a479

                                              APIs
                                              • NtClose.NTDLL(004159A0,?,?,004159A0,00409113,FFFFFFFF), ref: 0041A475
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
                                              • Instruction ID: 89d28a435c4e5e12339fbd4884c2b6668c99de876a0decdf7d51bdf93669a9a3
                                              • Opcode Fuzzy Hash: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
                                              • Instruction Fuzzy Hash: 9ED01776200214ABD620EB99DC89ED77BACDF48664F018055BA485B242C530FA1086E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 93%
                                              			E00408ED0(intOrPtr* _a4) {
                                              				intOrPtr _v8;
                                              				char _v24;
                                              				char _v284;
                                              				char _v804;
                                              				char _v840;
                                              				void* _t24;
                                              				void* _t31;
                                              				void* _t33;
                                              				void* _t34;
                                              				void* _t39;
                                              				void* _t50;
                                              				intOrPtr* _t52;
                                              				void* _t53;
                                              				void* _t54;
                                              				void* _t55;
                                              				void* _t56;
                                              
                                              				_t52 = _a4;
                                              				_t39 = 0; // executed
                                              				_t24 = E00407210(_t52,  &_v24); // executed
                                              				_t54 = _t53 + 8;
                                              				if(_t24 != 0) {
                                              					E00407420( &_v24,  &_v840);
                                              					_t55 = _t54 + 8;
                                              					do {
                                              						E0041BF40( &_v284, 0x104);
                                              						E0041C5B0( &_v284,  &_v804);
                                              						_t56 = _t55 + 0x10;
                                              						_t50 = 0x4f;
                                              						while(1) {
                                              							_t31 = E00415A40(E004159E0(_t52, _t50),  &_v284);
                                              							_t56 = _t56 + 0x10;
                                              							if(_t31 != 0) {
                                              								break;
                                              							}
                                              							_t50 = _t50 + 1;
                                              							if(_t50 <= 0x62) {
                                              								continue;
                                              							} else {
                                              							}
                                              							goto L8;
                                              						}
                                              						_t9 = _t52 + 0x18; // 0x5e14c483
                                              						 *(_t52 + 0x478) =  *(_t52 + 0x478) ^  *_t9;
                                              						_t39 = 1;
                                              						L8:
                                              						_t33 = E00407450( &_v24,  &_v840);
                                              						_t55 = _t56 + 8;
                                              					} while (_t33 != 0 && _t39 == 0);
                                              					_t34 = E004074D0(_t52,  &_v24); // executed
                                              					if(_t39 == 0) {
                                              						asm("rdtsc");
                                              						asm("rdtsc");
                                              						_v8 = _t34 - 0 + _t34;
                                              						 *((intOrPtr*)(_t52 + 0x560)) =  *((intOrPtr*)(_t52 + 0x560)) + 0xffffffba;
                                              					}
                                              					 *((intOrPtr*)(_t52 + 0x35)) =  *((intOrPtr*)(_t52 + 0x35)) + _t39;
                                              					_t20 = _t52 + 0x35; // 0xffff43e8
                                              					 *((intOrPtr*)(_t52 + 0x36)) =  *((intOrPtr*)(_t52 + 0x36)) +  *_t20 + 1;
                                              					return 1;
                                              				} else {
                                              					return _t24;
                                              				}
                                              			}



















                                              0x00408edb
                                              0x00408ee3
                                              0x00408ee5
                                              0x00408eea
                                              0x00408eef
                                              0x00408f02
                                              0x00408f07
                                              0x00408f10
                                              0x00408f1c
                                              0x00408f2f
                                              0x00408f34
                                              0x00408f37
                                              0x00408f40
                                              0x00408f52
                                              0x00408f57
                                              0x00408f5c
                                              0x00000000
                                              0x00000000
                                              0x00408f5e
                                              0x00408f62
                                              0x00000000
                                              0x00000000
                                              0x00408f64
                                              0x00000000
                                              0x00408f62
                                              0x00408f66
                                              0x00408f69
                                              0x00408f6f
                                              0x00408f71
                                              0x00408f7c
                                              0x00408f81
                                              0x00408f84
                                              0x00408f91
                                              0x00408f9c
                                              0x00408f9e
                                              0x00408fa4
                                              0x00408fa8
                                              0x00408fab
                                              0x00408fab
                                              0x00408fb2
                                              0x00408fb5
                                              0x00408fba
                                              0x00408fc7
                                              0x00408ef6
                                              0x00408ef6
                                              0x00408ef6

                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1ada6c65c81da39f92a8911f7e0e8c49d1a74177e876a00e20bb5bbc608198c
                                              • Instruction ID: cf0e5f29dbad696541b590ed4d5857ed9ac00164998f33992c9cd2087abb1f81
                                              • Opcode Fuzzy Hash: b1ada6c65c81da39f92a8911f7e0e8c49d1a74177e876a00e20bb5bbc608198c
                                              • Instruction Fuzzy Hash: CD210CB2D4010957CB20D6749D42AFB73ACAB54314F44057FF989A3181FA387B8987A6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 113 41a5f0-41a621 call 41af70 RtlAllocateHeap
                                              C-Code - Quality: 100%
                                              			E0041A5F0(intOrPtr _a4, void* _a8, long _a12, long _a16) {
                                              				void* _t10;
                                              
                                              				E0041AF70( *((intOrPtr*)(_a4 + 0x14)), _a4, _t7 + 0xc8c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
                                              				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
                                              				return _t10;
                                              			}




                                              0x0041a607
                                              0x0041a61d
                                              0x0041a621

                                              APIs
                                              • RtlAllocateHeap.NTDLL(00415186,?,004158FF,004158FF,?,00415186,?,?,?,?,?,00000000,00409113,?), ref: 0041A61D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
                                              • Instruction ID: a902bd2471d7bf624e41e955d84fd9d1c4f3b9c17a63ece7231003dd0180069e
                                              • Opcode Fuzzy Hash: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
                                              • Instruction Fuzzy Hash: 9DE01AB52002046BDB14DF89DC45E9737ACAF88654F018155BA085B241C530F9108AB5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 116 41a630-41a661 call 41af70 RtlFreeHeap
                                              C-Code - Quality: 30%
                                              			E0041A630(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* _a4, void* _a8, long _a12, void* _a16) {
                                              				void* _v3;
                                              				char _t15;
                                              
                                              				 *(__ebx + 0x6a561448) =  *(__ebx + 0x6a561448) | __ecx;
                                              				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
                                              				E0041AF70(__ecx);
                                              				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
                                              				return _t15;
                                              			}





                                              0x0041a635
                                              0x0041a644
                                              0x0041a647
                                              0x0041a65d
                                              0x0041a661

                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00409113,?,?,00409113,00000060,00000000,00000000,?,?,00409113,?,00000000), ref: 0041A65D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
                                              • Instruction ID: 7f623aad187af7064e7533bd75938f2c26ac04ae0faa765159e468c107c5f902
                                              • Opcode Fuzzy Hash: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
                                              • Instruction Fuzzy Hash: 6EE012B5200208ABDB14EF89DC49EA737ACAF88764F118159BA085B252C630E9208AB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 122 41a634-41a644 123 41a64c-41a661 RtlFreeHeap 122->123 124 41a647 call 41af70 122->124 124->123
                                              C-Code - Quality: 30%
                                              			E0041A634(void* __eax, void* __ebx, signed int __ecx, void* __edx, void* __esi) {
                                              				char _t14;
                                              				void* _t23;
                                              
                                              				_t24 = _t23 + 1;
                                              				 *(__ebx + 0x6a561448) =  *(__ebx + 0x6a561448) | __ecx;
                                              				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
                                              				E0041AF70(__ecx);
                                              				_t14 = RtlFreeHeap( *(_t23 + 0xd),  *(_t23 + 0x11),  *(_t24 + 0x14)); // executed
                                              				return _t14;
                                              			}





                                              0x0041a634
                                              0x0041a635
                                              0x0041a644
                                              0x0041a647
                                              0x0041a65d
                                              0x0041a661

                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00409113,?,?,00409113,00000060,00000000,00000000,?,?,00409113,?,00000000), ref: 0041A65D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: bbc5bea22833f60bb347dd5f3269417969dd7c7c29082b1a9a4fbcbbb0a2e1d8
                                              • Instruction ID: 12aface5bf18f8c3552746926844f49dcd9dab55b7bd8d9fa68d065b2b72a906
                                              • Opcode Fuzzy Hash: bbc5bea22833f60bb347dd5f3269417969dd7c7c29082b1a9a4fbcbbb0a2e1d8
                                              • Instruction Fuzzy Hash: DBD02BF81042451FDB10EFA9D8C089B37D4FF80318710854AFC5847317C130D8658BB2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a0aee665b0f76547c405cb8c50d385737418d02a9b8f6024a80f689f521e310
                                              • Instruction ID: 9a05cc80cebd73f603b0faac74326bc82776b299c2eb20142adbf52cc6db4ab3
                                              • Opcode Fuzzy Hash: 4a0aee665b0f76547c405cb8c50d385737418d02a9b8f6024a80f689f521e310
                                              • Instruction Fuzzy Hash: 69D0A927A290680AD9140C9CBC401F0FBA8C387126F2026E3EC0CE7A12A08FC422428A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 37%
                                              			E0040CA10() {
                                              
                                              				asm("sti");
                                              				return 0x3a;
                                              			}



                                              0x0040ca12
                                              0x0040ca1d

                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.301741278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_400000_SecuriteInfo.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d91bc40b127a7a4391d81bd122d8ad5c92b23a50afba58e0e05f7f69b2ba350
                                              • Instruction ID: b31d3ba8e386b87e6c95dd552e8bdedb4885da19462f18cf7754127c0dc5cc74
                                              • Opcode Fuzzy Hash: 6d91bc40b127a7a4391d81bd122d8ad5c92b23a50afba58e0e05f7f69b2ba350
                                              • Instruction Fuzzy Hash: D6A0011BF450191185295C8A78410B4E364D18707AD5033B7DE1CF3600180BC42616AE
                                              Uniqueness

                                              Uniqueness Score: -1.00%