Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.18072.21111

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetectNet.01.18072.21111 (renamed file extension from 21111 to exe)
Analysis ID:	682146
MD5:	62d82f1dfb55dde5554c8b278a819ac9
SHA1:	01e84f817807005f8d557d5320ddf9c366486620
SHA256:	7b968e65480e574dbf93ace25a28a30ca1f7b77fa98aabe980435484c365efbc
Tags:	exe
Infos:

Detection

StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Yara detected StormKitty Stealer

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Queries information about the installed CPU (vendor, model number etc)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AIDetectNet.01.18072.exe (PID: 4288 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe" MD5: 62D82F1DFB55DDE5554C8B278A819AC9)

MSBuild.exe (PID: 4144 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 5640 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

AppLaunch.exe (PID: 60 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x327c:$op1: 04 1E FE 02 04 16 FE 01 60 0x316c:$op2: 00 17 03 1F 20 17 19 15 28 0x3c02:$op3: 00 04 03 69 91 1B 40 0x4452:$op3: 00 04 03 69 91 1B 40
00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x2c1c:$op1: 04 1E FE 02 04 16 FE 01 60 0x2b0c:$op2: 00 17 03 1F 20 17 19 15 28 0x35a2:$op3: 00 04 03 69 91 1B 40 0x3df2:$op3: 00 04 03 69 91 1B 40
00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x16cfc:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000006.00000002.278474507.000000000753B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AppLaunch.exe PID: 60	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AppLaunch.exe PID: 60	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: AppLaunch.exe PID: 60	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.raw.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x17ef0:$s1: Temporary Directory * for 0x17f4c:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0x17904:$s6: Content-Disposition: form-data; name="document"; filename=" 0x17e7c:$s7: CopyHere 0x17e44:$s9: shell.application 0x17e9c:$s9: Shell.Application 0x17a64:$s10: SetRequestHeader 0x17ffc:$s12: @TITLE Removing 0x18034:$s13: @RD /S /Q "
0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x17ef0:$s1: Temporary Directory * for 0x17f4c:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0x17904:$s6: Content-Disposition: form-data; name="document"; filename=" 0x17e7c:$s7: CopyHere 0x17e44:$s9: shell.application 0x17e9c:$s9: Shell.Application 0x17a64:$s10: SetRequestHeader 0x17ffc:$s12: @TITLE Removing 0x18034:$s13: @RD /S /Q "
5.0.MSBuild.exe.400000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x17ef0:$s1: Temporary Directory * for 0x17f4c:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0x17904:$s6: Content-Disposition: form-data; name="document"; filename=" 0x17e7c:$s7: CopyHere 0x17e44:$s9: shell.application 0x17e9c:$s9: Shell.Application 0x17a64:$s10: SetRequestHeader 0x17ffc:$s12: @TITLE Removing 0x18034:$s13: @RD /S /Q "
6.0.AppLaunch.exe.12b0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x347c:$op1: 04 1E FE 02 04 16 FE 01 60 0x336c:$op2: 00 17 03 1F 20 17 19 15 28 0x3e02:$op3: 00 04 03 69 91 1B 40 0x4652:$op3: 00 04 03 69 91 1B 40
6.0.AppLaunch.exe.12b0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.0.AppLaunch.exe.12b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.AppLaunch.exe.12b0000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
6.0.AppLaunch.exe.12b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.0.AppLaunch.exe.12b0000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x13194:$x2: https://github.com/LimerBoy/StormKitty 0x131b0:$x3: StormKitty 0xdbac:$s2: GetAntivirus 0x11f57:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x103b1:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0xee8a:$s6: "encrypted_key":"(.*?)"
6.0.AppLaunch.exe.12b0000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x1004c:$v1_5: sharedSecret 0xf784:$v1_6: ":"([^"]+)" 0x10b17:$v1_7: \credentials.txt 0xd7ab:$v1_8: WritePasswords 0xd9d3:$v1_9: sGeckoBrowserPaths 0xc577:$v1_10: get_sPassword
Click to see the 5 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Virustotal: Detection: 37%			Perma Link
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	ReversingLabs: Detection: 22%

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Joe Sandbox ML: detected

Source: 5.0.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack	Avira: Label: TR/Dropper.Gen

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdb source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdbDO source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_04695CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_04695C8F

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: icanhazip.com
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	DNS query: name: icanhazip.com

Yara detected Generic Downloader

Source: Yara match

File source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.18.115.97 104.18.115.97

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: AppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: AppLaunch.exe, 00000006.00000002.278289378.00000000074EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com4
Source: AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom9
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242609831.0000000005758000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242565843.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.264148491.0000000005753000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como&
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232034414.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comc
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232090615.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comic
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232053595.000000000575B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comn75
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.234226531.000000000574E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265577466.0000000000987000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//2(o$
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//s
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/22
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=2
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y02
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/e
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=2
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s2Lo
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270617234.0000000003774000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000000.262112216.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: AppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty

Source: unknown

DNS traffic detected: queries for: 46.138.7.0.in-addr.arpa

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 5.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

.NET source code contains very large strings

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, VideoCollection/MainForm.cs	Long String: Length: 31313
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.340000.0.unpack, VideoCollection/MainForm.cs	Long String: Length: 31313

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 5.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_0264C374	0_2_0264C374
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_0264E671	0_2_0264E671
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_0264E680	0_2_0264E680
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_046911C8	0_2_046911C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_04694E98	0_2_04694E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_046911C6	0_2_046911C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_046911B9	0_2_046911B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_04690B80	0_2_04690B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_04690B90	0_2_04690B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EB5CB8	0_2_06EB5CB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EB5550	0_2_06EB5550
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EBF280	0_2_06EBF280
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EB1A68	0_2_06EB1A68
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EFDFD8	0_2_06EFDFD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EF0040	0_2_06EF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058B76F8	6_2_058B76F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058BAC10	6_2_058BAC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058B6E28	6_2_058B6E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058B6AE0	6_2_058B6AE0

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.275167015.0000000006ED0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.275507123.00000000071C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265951669.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265951669.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265951669.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecussedness.exe vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270016242.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecussedness.exe vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000000.226526470.00000000003CE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNuwi.exe@ vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Binary or memory string: OriginalFilenameNuwi.exe@ vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Virustotal: Detection: 37%
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	ReversingLabs: Detection: 22%

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@2/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270617234.0000000003774000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000000.262112216.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: B*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp8bA
Source: MSBuild.exe, 00000005.00000002.491480899.0000000000421000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: hA*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: 6.0.AppLaunch.exe.12b0000.0.unpack, Linq4you/FileZilla.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, Linq4you/SystemInfo.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.0.AppLaunch.exe.12b0000.0.unpack, ThunderFox/MozillaTFOXPBE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdb source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdbDO source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, VideoCollection/MainForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.340000.0.unpack, VideoCollection/MainForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_04692116 push 00000033h; retn 8589h	0_2_04692120
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EB75F1 push dword ptr [esp-75h]; iretd	0_2_06EB75F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EF3783 push eax; ret	0_2_06EF3789
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EF3780 pushad ; ret	0_2_06EF3781
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Code function: 0_2_06EF42D0 pushfd ; retf	0_2_06EF42D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058B229A pushfd ; retf	6_2_058B22B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058B42A0 pushfd ; retf	6_2_058B42A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_058BBCB8 push eax; iretd	6_2_058BBCB9

Source: initial sample

Static PE information: section name: .text entropy: 7.562192679273532

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe TID: 5468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: AppLaunch.exe, 00000006.00000002.276639658.00000000056A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AppLaunch.exe, 00000006.00000002.276639658.00000000056A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareK2PEL8NWWin32_VideoController95YFH3V7VideoController120060621000000.000000-00093.61714display.infMSBDA632TZBCUPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZPZ9O9OF
Source: AppLaunch.exe, 00000006.00000002.276639658.00000000056A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Code function: 6_2_058B07B8 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,

6_2_058B07B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 421000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 10AF008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.278474507.000000000753B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	131 Windows Management Instrumentation	Path Interception	211 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	211 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	38%	Virustotal		Browse
SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	22%	ReversingLabs	ByteCode-MSIL.Infostealer.Generic
SecuriteInfo.com.W32.AIDetectNet.01.18072.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.0.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File
0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
46.138.7.0.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://icanhazip.com4	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/=2	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comcom9	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//s	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fontbureau.como&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/s2Lo	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y02	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//2(o$	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/o	0%	URL Reputation	safe
http://www.fontbureau.comlvfet	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/e	0%	URL Reputation	safe
http://www.fontbureau.comalic	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/22	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/=2	0%	Avira URL Cloud	safe
http://www.fonts.comn75	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
icanhazip.com	104.18.115.97	true	false		high
46.138.7.0.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270617234.0000000003774000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000000.262112216.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	false		high
http://icanhazip.com4	AppLaunch.exe, 00000006.00000002.278289378.00000000074EE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/=2	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcom9	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp//s	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265577466.0000000000987000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comic	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232090615.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty	AppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://icanhazip.com	AppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comc	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232034414.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como&	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/s2Lo	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y02	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//2(o$	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.234226531.000000000574E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/o	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comlvfet	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242609831.0000000005758000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242565843.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.264148491.0000000005753000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/e	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalic	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/22	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/=2	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comn75	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232053595.000000000575B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.18.115.97	icanhazip.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682146
Start date and time:	2022-08-11 06:30:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetectNet.01.18072.21111 (renamed file extension from 21111 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@2/1
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 131 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target MSBuild.exe, PID 5640 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:31:16	API Interceptor	1x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe modified
06:31:23	API Interceptor	903x Sleep call for process: MSBuild.exe modified
06:31:29	API Interceptor	1x Sleep call for process: AppLaunch.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.18.115.97	hesaphareketi-01.exe	Get hash	malicious	Browse	icanhazip.com/
	NWHigo9mNH.exe	Get hash	malicious	Browse	icanhazip.com/
	BnwQrIl9FZ.exe	Get hash	malicious	Browse	icanhazip.com/
	Revised shipment.pdf.exe	Get hash	malicious	Browse	icanhazip.com/
	3WdlXj8suM.exe	Get hash	malicious	Browse	icanhazip.com/
	VW16JuYECF.exe	Get hash	malicious	Browse	icanhazip.com/
	Halkbank,.pdf.exe	Get hash	malicious	Browse	icanhazip.com/
	C5fOab30UG.exe	Get hash	malicious	Browse	icanhazip.com/
	PO 7500093232.exe	Get hash	malicious	Browse	icanhazip.com/
	n0k4chByJm.exe	Get hash	malicious	Browse	icanhazip.com/
	Invoice no. 004.exe	Get hash	malicious	Browse	icanhazip.com/
	Doc899780979080888.pdf.exe	Get hash	malicious	Browse	icanhazip.com/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Browse	icanhazip.com/
	20220725 0029930__969959500.exe	Get hash	malicious	Browse	icanhazip.com/
	20220725 009291000 992992920.pdf.exe	Get hash	malicious	Browse	icanhazip.com/
	DK098765434567890-46.exe	Get hash	malicious	Browse	icanhazip.com/
	2D3OgZjZgz.exe	Get hash	malicious	Browse	icanhazip.com/
	hesaphareketi-01.exe	Get hash	malicious	Browse	icanhazip.com/
	doc44600059540469902.pdf.exe	Get hash	malicious	Browse	icanhazip.com/
	Bc90WRHFvI.exe	Get hash	malicious	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
icanhazip.com	4744598.EXE	Get hash	malicious	Browse	104.18.114.97
	hesaphareketi-01.exe	Get hash	malicious	Browse	104.18.115.97
	NWHigo9mNH.exe	Get hash	malicious	Browse	104.18.115.97
	BnwQrIl9FZ.exe	Get hash	malicious	Browse	104.18.115.97
	Revised shipment.pdf.exe	Get hash	malicious	Browse	104.18.115.97
	3WdlXj8suM.exe	Get hash	malicious	Browse	104.18.115.97
	Lg3gn9y1Cj.exe	Get hash	malicious	Browse	104.18.114.97
	VW16JuYECF.exe	Get hash	malicious	Browse	104.18.115.97
	3djX04cCOE.exe	Get hash	malicious	Browse	104.18.114.97
	Halkbank,.pdf.exe	Get hash	malicious	Browse	104.18.115.97
	Revised shipment.pdf.exe	Get hash	malicious	Browse	104.18.114.97
	Swift.txt.exe	Get hash	malicious	Browse	104.18.114.97
	Micro tunneling Drawings.pdf1.4MB.exe	Get hash	malicious	Browse	104.18.115.97
	C5fOab30UG.exe	Get hash	malicious	Browse	104.18.115.97
	9KZPWGuxKu.exe	Get hash	malicious	Browse	104.18.114.97
	9ED17l5AHb.exe	Get hash	malicious	Browse	104.18.114.97
	Demmurage_INV00245.pdf.exe	Get hash	malicious	Browse	104.18.114.97
	PO 7500093232.exe	Get hash	malicious	Browse	104.18.115.97
	doc 20220726 009910 984993.pdf.exe	Get hash	malicious	Browse	104.18.114.97
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse	104.18.114.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Doc11245.htm	Get hash	malicious	Browse	104.18.10.207
	https://lemissaire.tg/L0ck/	Get hash	malicious	Browse	104.17.25.14
	https://764827.selcdn.ru/share-point/sharepoint.html#ruth.harris@ashurst.com	Get hash	malicious	Browse	104.17.24.14
	https://invitee.notion.site/SAMCO-SALES-INC-facf804e29d14b018ace2c0ab9caf6ce	Get hash	malicious	Browse	172.64.154.162
	https://www.heroflooring.com/yopilesterer/peuvibed/dsendaremar/fixcder/x5I0r2/hello@yourdumb.com.au	Get hash	malicious	Browse	104.21.53.35
	https://indd.adobe.com/view/17d80112-3e5d-425d-adc1-a2d9ede7ebb2	Get hash	malicious	Browse	104.17.24.14
	https://smartsourcellc.nimbusweb.me/share/7407459/h1uk7p1mhlvcwzcpkw5f	Get hash	malicious	Browse	104.16.126.175
	http://promitattoos.com/	Get hash	malicious	Browse	188.114.97.3
	https://issuu.com/kdcocument/docs/09878675456789809?fr=sMjg4MDUyNzIxNDI	Get hash	malicious	Browse	104.17.24.14
	http://kingfaisalprize.org/	Get hash	malicious	Browse	104.26.7.42
	https://www.paperturn-view.com/?pid=MjY264454&v=1.1	Get hash	malicious	Browse	104.16.107.139
	http://recp.mkt51.net/ctt?m=27097482&r=NzgzMjA3MzI5NTYxS0&j=MjI0NDQyMzQ1NgS2&b=3&mt=1&rt=0&kx=1&kt=12&k=ShopName&kd=https://Gcgaming.digibuyers.ir/ber/?e=c2hhd24uZHVuY2FuQGdjZ2FtaW5nLmNvbQ==	Get hash	malicious	Browse	104.18.11.207
	https://www.paperturn-view.com/?pid=MjY264735&v=1.1	Get hash	malicious	Browse	104.17.25.14
	maldoc.html	Get hash	malicious	Browse	104.17.25.14
	#U260e#Ufe0f New Payment Request.htm	Get hash	malicious	Browse	188.114.96.3
	https://app.getresponse.com/click.html?x=a62b&lc=SNTQlu&mc=It&s=BIUpUo1&u=wkqNo&z=Ey5btDo&	Get hash	malicious	Browse	188.114.97.3
	injector.exe	Get hash	malicious	Browse	162.159.134.233
	modest-menu.exe	Get hash	malicious	Browse	188.114.97.3
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	172.67.74.85
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	172.67.74.85

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1036
Entropy (8bit):	5.356180291633412
Encrypted:	false
SSDEEP:	24:MLasXE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MNH2HKXwYHKhQnoPtHoxHhAHKzvKvj
MD5:	7F8E631F679DF67A018544E516CF841E
SHA1:	02F03B1AB3CF33821236F743139693A61906A72B
SHA-256:	1FB2E1F28E4A338CD7E04A147E290E1DD880E83054BB2BA48EF6038EBA0BFACD
SHA-512:	4F7FD1AC6D22F8891F77BD3359EB0A536AB8E8A3D064BBAAB6620826F6B9FC8FC18DAB73474DB4806ED9CD1F5652549D7122E1DE8E5741010E7B3BE3F79EBBB7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.559415867177912
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
File size:	581632
MD5:	62d82f1dfb55dde5554c8b278a819ac9
SHA1:	01e84f817807005f8d557d5320ddf9c366486620
SHA256:	7b968e65480e574dbf93ace25a28a30ca1f7b77fa98aabe980435484c365efbc
SHA512:	e1e629f928a1596325af166a50248794d0a4c8129442b25dd514a5ec6e9eef39c1d8867db6f85a72ffd3f0aa349c28af7ff70dd58027f8a04e15a8cb491a1d54
SSDEEP:	12288:M3Ih6jMEb6Qyxao8Fhyq+rqSAl4zXh2J3Fi7mX/IkQkk36EZd/gnS9ZviI:W9Jb6Q28Fu9AvPI2k71fB
TLSH:	2BC4D02125A97229E0397BB51DD770A107F5F622DE06F57F3CB931860251E838BAE732
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Qi.b..............P......4........... ........@.. .......................@............@................................

File Icon


Icon Hash:	d4eaccb4e4c8bac4

Static PE Info

General

Entrypoint:	0x48c90e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F46951 [Thu Aug 11 02:28:33 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc edx
add byte ptr [eax+eax+41h], al
add byte ptr [ecx+00h], al
inc ebx
add byte ptr [ecx+00h], al
inc edx
add byte ptr [ecx+00h], al
inc ebx
add byte ptr [eax+eax+42h], al
add byte ptr [ebx+00h], al
inc esp
add byte ptr [ecx+00h], al
inc esp
add byte ptr [ebx+00h], al
inc ebx
add byte ptr [edx+00h], al
inc esp
add byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8c8bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x30a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8a93c	0x8aa00	False	0.8138402417718665	data	7.562192679273532	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x30a4	0x3200	False	0.91921875	data	7.63895625946023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8e0c8	0x2c63	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x90d3c	0x14	data
RT_VERSION	0x90d60	0x340	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:31:28.024966955 CEST	49757	80	192.168.2.4	104.18.115.97
Aug 11, 2022 06:31:28.042078972 CEST	80	49757	104.18.115.97	192.168.2.4
Aug 11, 2022 06:31:28.042203903 CEST	49757	80	192.168.2.4	104.18.115.97
Aug 11, 2022 06:31:28.043061018 CEST	49757	80	192.168.2.4	104.18.115.97
Aug 11, 2022 06:31:28.059881926 CEST	80	49757	104.18.115.97	192.168.2.4
Aug 11, 2022 06:31:28.067483902 CEST	80	49757	104.18.115.97	192.168.2.4
Aug 11, 2022 06:31:28.160531998 CEST	49757	80	192.168.2.4	104.18.115.97
Aug 11, 2022 06:31:29.704567909 CEST	49757	80	192.168.2.4	104.18.115.97

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:31:27.635854006 CEST	62099	53	192.168.2.4	8.8.8.8
Aug 11, 2022 06:31:27.653176069 CEST	53	62099	8.8.8.8	192.168.2.4
Aug 11, 2022 06:31:27.965552092 CEST	53775	53	192.168.2.4	8.8.8.8
Aug 11, 2022 06:31:27.987278938 CEST	53	53775	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 11, 2022 06:31:27.635854006 CEST	192.168.2.4	8.8.8.8	0x74b5	Standard query (0)	46.138.7.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 11, 2022 06:31:27.965552092 CEST	192.168.2.4	8.8.8.8	0xb375	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 11, 2022 06:31:27.653176069 CEST	8.8.8.8	192.168.2.4	0x74b5	Name error (3)	46.138.7.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Aug 11, 2022 06:31:27.987278938 CEST	8.8.8.8	192.168.2.4	0xb375	No error (0)	icanhazip.com		104.18.115.97	A (IP address)	IN (0x0001)
Aug 11, 2022 06:31:27.987278938 CEST	8.8.8.8	192.168.2.4	0xb375	No error (0)	icanhazip.com		104.18.114.97	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49757	104.18.115.97	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Timestamp	kBytes transferred	Direction	Data
Aug 11, 2022 06:31:28.043061018 CEST	1022	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Aug 11, 2022 06:31:28.067483902 CEST	1023	IN	HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 04:31:28 GMT Content-Type: text/plain Content-Length: 14 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=Ey9b06GkUs3RvYus4mW9JMaXcGtQPk1nY.hCZFDJvks-1660192288-0-ATd2/GorYZ33ONvLo9CvyJg1+WCE9p13NRWeYbFnhablhqkRPrYfYCNh6YHAX3XQFFLxJFgRV8le0MmrRGHHRkc=; path=/; expires=Thu, 11-Aug-22 05:01:28 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 738e3de84d1768f2-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 0a Data Ascii: 102.129.143.3

Target ID:	0
Start time:	06:31:05
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe"
Imagebase:	0x340000
File size:	581632 bytes
MD5 hash:	62D82F1DFB55DDE5554C8B278A819AC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	06:31:19
Start date:	11/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x420000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	06:31:21
Start date:	11/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xe90000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	06:31:24
Start date:	11/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Imagebase:	0x1310000
File size:	98912 bytes
MD5 hash:	6807F903AC06FF7E1670181378690B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.278474507.000000000753B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.4%
Total number of Nodes:	205
Total number of Limit Nodes:	13

Executed Functions

Function 06EF0040 Relevance: .9, Instructions: 927COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275197717.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f7c8c9302f4e227b3d8a999e801d663689f121cfe23233c1c53931f7411c68
Instruction ID: cd7d015be942e3682536bdfc8cbb8a41cbd8421a74a2bfdd07323090b07a62df
Opcode Fuzzy Hash: 57f7c8c9302f4e227b3d8a999e801d663689f121cfe23233c1c53931f7411c68
Instruction Fuzzy Hash: F6A22831E10619CFCB15EF68C8546EDB7B2FF89304F1482AAD90AA7251EB746E91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06EBF280 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a329d7ac1769144bfde7d96b22e5892e6e0e02eb648cd6e9a2900bb81a9a03d
Instruction ID: 48cd8f9677a01da9a44c36611805a46f079ac83879eb88d699dd0bc136c167c6
Opcode Fuzzy Hash: 6a329d7ac1769144bfde7d96b22e5892e6e0e02eb648cd6e9a2900bb81a9a03d
Instruction Fuzzy Hash: EC528035B002159FDB58DF69C994AEEB7B2FF88354B15A069E806DB3A4DB30DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB5550 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f76c2529d4dbac9cd3b4d8938d46d4bdd353e0118136f5de90fcc609242cc25
Instruction ID: f8c67ae14b89c9c801f66d8143811b99ddd405ab64d2bd3ff7a933779a990c38
Opcode Fuzzy Hash: 3f76c2529d4dbac9cd3b4d8938d46d4bdd353e0118136f5de90fcc609242cc25
Instruction Fuzzy Hash: 29229B70B002199FDB54DFA4C894BAEBBF2AF89304F149429E846DB395DF349D46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB1A68 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506cbd592061725cd5ef0456dced60cc77dc93136e688319144c120e6c4bbe93
Instruction ID: d3a8ad6eff0a72b6c127d38df355a4deb106d5fe7a601b7228a82512b4a4f745
Opcode Fuzzy Hash: 506cbd592061725cd5ef0456dced60cc77dc93136e688319144c120e6c4bbe93
Instruction Fuzzy Hash: 2022E371D1071ACACB15EF69C8506DAFBB1FF89300F1196AAD549B7214EB70AAC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06EB5CB8 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff394f841c30a1594cf61893edbbdcbdc6f6f09043c01c36ee4b49f7368d433
Instruction ID: 6165fbee80b446efdb853fbd3fb36fc5dff48d927cbc808e581237c7cc74b149
Opcode Fuzzy Hash: 6ff394f841c30a1594cf61893edbbdcbdc6f6f09043c01c36ee4b49f7368d433
Instruction Fuzzy Hash: 24E12F70A10205DFDB54CFA9D984AEEBBF2BF49344F25A065E405AB2A1E731DC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EFDFD8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275197717.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77106fe0c68573f649a2543d7f3366198af50d9385ec0cde111a9efd57fb652
Instruction ID: 1ac83c5615e22b64713b02a3345ff45e39ffe2edf28aab09f895fb886f2054be
Opcode Fuzzy Hash: f77106fe0c68573f649a2543d7f3366198af50d9385ec0cde111a9efd57fb652
Instruction Fuzzy Hash: C5815C71E10318AFDB55DFB5CC448AEBBBAFFC9300B15816AE115AB225EB319846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 046911C8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1407d35b0fc1dbc6bc963d1de7999597b03eed91aacd617111a0a564510854df
Instruction ID: 2fe41932dafa6640a71e9b5ad332552d7d5af10d58814ad79543ae6dca9995d8
Opcode Fuzzy Hash: 1407d35b0fc1dbc6bc963d1de7999597b03eed91aacd617111a0a564510854df
Instruction Fuzzy Hash: 32813970E1562ACBDB24CF25C9407D9BBF6BB89300F1485EAD009A7654EB70AEC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 046911C6 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02c421f30a96045c04565ffe2c2887582ec2beffa64297bb1705f57772af73e
Instruction ID: 4a9fa99dc5c27ba4dfae80a20e0232849e8bb4a28cb4f2c4ca6a97ccd6b5d509
Opcode Fuzzy Hash: f02c421f30a96045c04565ffe2c2887582ec2beffa64297bb1705f57772af73e
Instruction Fuzzy Hash: E1611870E1562A8BDB28CF66C9447D9BBF2BF89300F1481EAC409A7654EB705EC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 046911B9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac35d869868ee45395e5be53df711f8907e9ab6a3ba109df32b7ee2c3899f97
Instruction ID: b9f4107e6d2657f808e77fc62ec0c58b8a6470e131c59f379304a219429cf550
Opcode Fuzzy Hash: 3ac35d869868ee45395e5be53df711f8907e9ab6a3ba109df32b7ee2c3899f97
Instruction Fuzzy Hash: 75611870E1162A8BDB28CF66C9407D9BBF2BF89300F1481EAC509A7654EB706EC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0264B8D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0264B930
GetCurrentThread.KERNEL32 ref: 0264B96D
GetCurrentProcess.KERNEL32 ref: 0264B9AA
GetCurrentThreadId.KERNEL32 ref: 0264BA03

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3a8496bc11a56b1c467a7557311f4800c5021bdb594b9ddeef066c9deac48a9c
Instruction ID: dc5d15782a96d6dabf0232201bff71faa62dd09e4d5ec050b7452461539f324a
Opcode Fuzzy Hash: 3a8496bc11a56b1c467a7557311f4800c5021bdb594b9ddeef066c9deac48a9c
Instruction Fuzzy Hash: A25155B0D002499FDB14CFAAD6487DEBBF0FB49318F20805AE059A7760DB34A844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0264B8C0 Relevance: 6.1, APIs: 4, Instructions: 119
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0264B930
GetCurrentThread.KERNEL32 ref: 0264B96D
GetCurrentProcess.KERNEL32 ref: 0264B9AA
GetCurrentThreadId.KERNEL32 ref: 0264BA03

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ec5e460de8f626823ddbcdce210448a3dd08a4b9a34f6c8ae3c3dae4301b9c6c
Instruction ID: f52bb41a753835f0e33c9a8168009761d2b2c9a9ff0b60236f684e941988bc5c
Opcode Fuzzy Hash: ec5e460de8f626823ddbcdce210448a3dd08a4b9a34f6c8ae3c3dae4301b9c6c
Instruction Fuzzy Hash: 565156B4D002458FDB14CFA9D6487DEBBF1FB48318F20805AD459A7760DB38A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 026498D0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02649B16

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d8b847895673027a609f4308cb4d58bcbc297bf125c24e772cebd47acb05872a
Instruction ID: 7dc2b5d90ad0f6491dd01e905e6e8127fd6f898cb669b77cae18532772acc5a1
Opcode Fuzzy Hash: d8b847895673027a609f4308cb4d58bcbc297bf125c24e772cebd47acb05872a
Instruction Fuzzy Hash: 36710071A01B058FD724DF6AD58179BBBF2BF88304F04892ED48A97B50DB74E8498B91

Uniqueness

Uniqueness Score: -1.00%

Function 0469283C Relevance: 1.6, APIs: 1, Instructions: 146
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0469299B

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8779b070c61c3abc7d30e79529bd8058a6ce553b7339cedcc82a7ca804f9892b
Instruction ID: e33a56bb3d3fafd3cc77318bdd1679354a2c73d9b1e9d6540ed20d009d8c225b
Opcode Fuzzy Hash: 8779b070c61c3abc7d30e79529bd8058a6ce553b7339cedcc82a7ca804f9892b
Instruction Fuzzy Hash: 6051F571D002299FDF20CF99D980BDDBBB5AF48314F14849AE848B7250DB70AA89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04692848 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0469299B

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 397ef1d7a9116fe19c3182323e0a46df7ef242423d4181fc18a43e16560855e7
Instruction ID: 6c2fc09a03f581d356454c54c8d4c8bf6c5d9770e2ffb9dfb8c54958d73f3764
Opcode Fuzzy Hash: 397ef1d7a9116fe19c3182323e0a46df7ef242423d4181fc18a43e16560855e7
Instruction Fuzzy Hash: 4F51F571D01319AFDF20CF99D980BDDBBB5AB48314F14849AE808B7210DB70AA89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0264FDEC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0264FF0A

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6fca5dbec5ad3ad2be5b2b6807846c0b9ce4823d8553edd644424fbd02cf208d
Instruction ID: c8e85fda0a1204c783ccd71c14939ce02929ca980bdc10819be1a95d41fa840c
Opcode Fuzzy Hash: 6fca5dbec5ad3ad2be5b2b6807846c0b9ce4823d8553edd644424fbd02cf208d
Instruction Fuzzy Hash: 7851B2B1D00309AFDB14CFA9C984ADEFBB5FF49314F24822AE419AB211D7759946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0264FDF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0264FF0A

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 83eefdc8f6036ac4fbbc50802f29ca94cd628422e6137bd14c541c9eab6c2a45
Instruction ID: 72d2844d031f7e66e85e2df7a257e8d612248f734579e5167936889e28c8f2c5
Opcode Fuzzy Hash: 83eefdc8f6036ac4fbbc50802f29ca94cd628422e6137bd14c541c9eab6c2a45
Instruction Fuzzy Hash: 6941B2B1D003099FDB14CFA9C984ADEFBB5BF48314F24822AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EF26EA Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06EF3D2D,?,?), ref: 06EF3DDF

Memory Dump Source

Source File: 00000000.00000002.275197717.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_SecuriteInfo.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 13eb8f9023b1248b5fdead56d6ec2d63481f50da1a1345a1b2af499dbc8d3479
Instruction ID: 476ce52aeead45b433b9b6d9ae0a377fb2e3e1cc86c5127bfa11c6b71aac5060
Opcode Fuzzy Hash: 13eb8f9023b1248b5fdead56d6ec2d63481f50da1a1345a1b2af499dbc8d3479
Instruction Fuzzy Hash: 803102B5D00309AFDB00CF9AD8806EEFBF4EB58324F14842AE919A7310D775A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EF26EC Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06EF3D2D,?,?), ref: 06EF3DDF

Memory Dump Source

Source File: 00000000.00000002.275197717.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_SecuriteInfo.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e6a682b4278ae82870ff161bed9d32f0e80fccbd19c5b05ec4a84716f04aedfa
Instruction ID: a28880eaf29617847a127113b38d9eb0aaf8993d5e3f78fb8222a95f357a4f36
Opcode Fuzzy Hash: e6a682b4278ae82870ff161bed9d32f0e80fccbd19c5b05ec4a84716f04aedfa
Instruction Fuzzy Hash: EC31C2B5D003099FDB10CF9AD8846EEFBF9EB58324F14842AE915A7710D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EF3D40 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06EF3D2D,?,?), ref: 06EF3DDF

Memory Dump Source

Source File: 00000000.00000002.275197717.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_SecuriteInfo.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 6602d8dc20d85dc99fa5dfb2ad623cb8cf7de55157af2bb985dc03c1b33f5db2
Instruction ID: 9fcf57dcf7bcec9f96cfc049f256f09b4fb2de2bd45136a74a40e42d482f0938
Opcode Fuzzy Hash: 6602d8dc20d85dc99fa5dfb2ad623cb8cf7de55157af2bb985dc03c1b33f5db2
Instruction Fuzzy Hash: 6531D1B5D003099FDB10CF9AD8846DEBBF5EB48324F14842AE915A7610D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04692F00 Relevance: 1.6, APIs: 1, Instructions: 68
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04692F95

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d24b8d0509d050f0c9611521684a9f94cc7edcae40eb058f630d8df18e05e33d
Instruction ID: 4571d111bdc125b747e7f1f2968b7ac332041490137751b5b7e5a2add3d04576
Opcode Fuzzy Hash: d24b8d0509d050f0c9611521684a9f94cc7edcae40eb058f630d8df18e05e33d
Instruction Fuzzy Hash: C321F3B5900249DFCB10CF99D985BDEBBF4FF48324F10892AE418A3750E374A954CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04692F08 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04692F95

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1021a641e4965be121db09299cc3225703c7897d26996e91939538b574acab3f
Instruction ID: 9eba42d4f146a56d211cffd77e1e09c5101efa0c6f97cfef5e9145be34050d30
Opcode Fuzzy Hash: 1021a641e4965be121db09299cc3225703c7897d26996e91939538b574acab3f
Instruction Fuzzy Hash: C021E4B59002499FDF10CF9AC885BDEBBF8FB48314F10842AE819A3750D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0264BAF1 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0264BB7F

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 222a4c3fc8e1619d9ad5f05d54c023857a57c9d736f7dfa613f843b61f8349a0
Instruction ID: 582c73431bb1f924b5e24065af5917a82dd61ea44dd7293c61084ad8f474a210
Opcode Fuzzy Hash: 222a4c3fc8e1619d9ad5f05d54c023857a57c9d736f7dfa613f843b61f8349a0
Instruction Fuzzy Hash: 2E21E3B6D002099FDB10CF9AD984ADEFBF4FB48324F14841AE818A7710D774A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0264BAF8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0264BB7F

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b0b8f487389a2e5f5d8b0fdddb1234e6225bdebe0b1a5ff4f2eefd9a9f0edeb7
Instruction ID: e9fe9d206d85e33884df6be9f6584f4f9bc2a4346bc27960f66fab742baa636a
Opcode Fuzzy Hash: b0b8f487389a2e5f5d8b0fdddb1234e6225bdebe0b1a5ff4f2eefd9a9f0edeb7
Instruction Fuzzy Hash: 2B21E4B5D002099FDB10CF9AD984ADEFBF8EB48324F14801AE814A3710D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04692BB0 Relevance: 1.6, APIs: 1, Instructions: 60
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04692C2F

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e5494292c6814569fd868c8aa20f7b879a319856daf691eb8de26c435247da5b
Instruction ID: 8e06b4310eb927d2293ee71958467675843ac11fff5f11dbaa23b238e305ed2b
Opcode Fuzzy Hash: e5494292c6814569fd868c8aa20f7b879a319856daf691eb8de26c435247da5b
Instruction Fuzzy Hash: DD21F7B5D0061A9FDB10CF99C5857EEFBF4BB08314F14856AD418B3740E774A9458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 04692C78 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04692CF7

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 87e47cfbf898d332b84fb6ebafe344dbf4da0a34dc5b6ac9b520bf7b0b8db81b
Instruction ID: 82efe265d1f6fbe7f3fd000189bc3e902f49da5cf69d8564d4ec9e179b68ecf3
Opcode Fuzzy Hash: 87e47cfbf898d332b84fb6ebafe344dbf4da0a34dc5b6ac9b520bf7b0b8db81b
Instruction Fuzzy Hash: FE21D0B59002499FCB10CF9AD884BDEFBF8FB48320F10842AE918A3750D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04692C70 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04692CF7

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 56401df782d9f8a6ed949757eed185966d1a83ce343e56beadcdd75f4417d834
Instruction ID: 885111270d2ac6116485dd4af9ca0df1ac74501eac25439ea538012c8e6747f5
Opcode Fuzzy Hash: 56401df782d9f8a6ed949757eed185966d1a83ce343e56beadcdd75f4417d834
Instruction Fuzzy Hash: D721EFB6900249DFCB10CF9AD985BDEBBF4BF08310F10842AE918A3650D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04692BB8 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 04692C2F

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6706d36242553ddd2af783e9219b4f7bfb2b40771b7986c000f402c826caa8cb
Instruction ID: fe712fa5a2d66c546f744761b85a42fd14fbdf770834cf7b2943a3c1e1a8809d
Opcode Fuzzy Hash: 6706d36242553ddd2af783e9219b4f7bfb2b40771b7986c000f402c826caa8cb
Instruction Fuzzy Hash: 1B211AB5D006199FDB10CF9AC5857DEFBF8BB48314F148569D818B3740D774A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 026494E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02649B91,00000800,00000000,00000000), ref: 02649DA2

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 69a4339e5094ddff452a062ae8c9a601800c6f082630a48d8d51ba9d24010fd5
Instruction ID: a2fc68201691697a27a6757a0f72a086f1e2ef67af3195db92754d7001b838c5
Opcode Fuzzy Hash: 69a4339e5094ddff452a062ae8c9a601800c6f082630a48d8d51ba9d24010fd5
Instruction Fuzzy Hash: 2B1144B29002089FDB10CF9AC444ADFFBF4EB88324F00842AE855A7700C774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02649D30 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02649B91,00000800,00000000,00000000), ref: 02649DA2

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3781f4279bf598cf28ea134b85f09b77e99494bc711244e895dcba5e7bf56741
Instruction ID: 5773cd3be8e55976d11cb2de63bf67d427f158e7e86f87547febd2592f13c6f5
Opcode Fuzzy Hash: 3781f4279bf598cf28ea134b85f09b77e99494bc711244e895dcba5e7bf56741
Instruction Fuzzy Hash: CF1114B6D012099FCB10CF9AC584BDFFBF4AB88324F00842AD859A7710C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04692D41 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04692DB3

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e72d3083d56f39c217840a9dc6de1fe81eae582f9c3fd38efee0f865ed60166
Instruction ID: 63208c2628c5284097e1258f7576c009b40e5da359b718c408f2a92e530ff4ec
Opcode Fuzzy Hash: 9e72d3083d56f39c217840a9dc6de1fe81eae582f9c3fd38efee0f865ed60166
Instruction Fuzzy Hash: 991123B98002099FCB10CF89C984BDEBBF8AB48320F148819E529A7610C374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04692D48 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04692DB3

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9d84de26415025c1eb9186491cf8f498c1480155057323c0e6616fa765ef758
Instruction ID: 94ac7934cf281bae6e433a86fbd912e8c9529e2161803ad97af32e6ad6ab98f3
Opcode Fuzzy Hash: a9d84de26415025c1eb9186491cf8f498c1480155057323c0e6616fa765ef758
Instruction Fuzzy Hash: 5011E3B59002499FCB10CF9AC884BDEBBF8EB48324F148419E529A7750D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02649AB0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02649B16

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: be159af8b3b76426fd34f41c0c8fff48733ba9df6988a7842079abceb590ecf8
Instruction ID: be10220b940d0fa678a1ec545ca859d517713e2a37f1b83fe97b0ca565397f8f
Opcode Fuzzy Hash: be159af8b3b76426fd34f41c0c8fff48733ba9df6988a7842079abceb590ecf8
Instruction Fuzzy Hash: 2311FDB6D002498BCB10CF9AC584ADFFBF4AB89324F10842AD869A7610C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 046933D8 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0469343D

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 19c39efb84a7f0522691912df1171fbd35d814f2272e923bc07197fb4a3a94d9
Instruction ID: bb891798042e63448722b427b3498d96c9121a496b4bdc1989c1263a09857222
Opcode Fuzzy Hash: 19c39efb84a7f0522691912df1171fbd35d814f2272e923bc07197fb4a3a94d9
Instruction Fuzzy Hash: 4411F2B68002498FDB11CF99C985BDEBBF8EB58324F14841AD955A3700D374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 046930BA Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0469311F

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f0e42789a1aaf37c9924b6bcbc8db5d0c94610348dab747759d51fdb5b6eb359
Instruction ID: 9df88f549ab1286af8b46115ebabd0c7b4709d9a41b2fe85a7964609f33cebda
Opcode Fuzzy Hash: f0e42789a1aaf37c9924b6bcbc8db5d0c94610348dab747759d51fdb5b6eb359
Instruction Fuzzy Hash: 861127B59002498FDB10DF9AD584BDEFBF4EF48324F10841AD419A7750D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 046933E0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0469343D

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c37c5551d64c5b6e60bb60c1157fe9c1a66b0fd5d95481c55310c72954b43acc
Instruction ID: f22df9a8beb6f45b4fba9953236d1ae3c0c73fbfc1bef57e9d3354ee48d4f140
Opcode Fuzzy Hash: c37c5551d64c5b6e60bb60c1157fe9c1a66b0fd5d95481c55310c72954b43acc
Instruction Fuzzy Hash: 2E11E5B58003499FDB10DF9AD985BDEFBF8EB58324F108419E915A7710D374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 046930C0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0469311F

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3a78140cc5e9db2157c0dc056c1c651b86586e00cb99b7cf3f6a7dac29eb3baf
Instruction ID: 04a3f8faeb3e590571707e7937588312f63406402f5c7b81fb3f2a6deedda1c3
Opcode Fuzzy Hash: 3a78140cc5e9db2157c0dc056c1c651b86586e00cb99b7cf3f6a7dac29eb3baf
Instruction Fuzzy Hash: 801123B19002498FCB20CF9AD984BDEFBF8EB48324F10841AD819A3710D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB9050 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674b982c1692ae7cf92cf90cecede8a3a6b1d9f63efa6c9da91e3cba4cb15ab1
Instruction ID: 13cb5db84541272ddb92b6e593f63fa8e3d931b88248408fa0f25b494662e08e
Opcode Fuzzy Hash: 674b982c1692ae7cf92cf90cecede8a3a6b1d9f63efa6c9da91e3cba4cb15ab1
Instruction Fuzzy Hash: 63F182307143118FEB659B39C4997BF769ADF82608F196065E206CF3F2DA29CC41C791

Uniqueness

Uniqueness Score: -1.00%

Function 06EB62A0 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469fc9edd7282ae0cee7f6f0bd56ea1541e99fa49f8c5f83fdf9840552995d02
Instruction ID: fd2e56a7c1960a2f3dfe3d94366c3f0252ac57e6ac7e73a6bea4759c1eebdca7
Opcode Fuzzy Hash: 469fc9edd7282ae0cee7f6f0bd56ea1541e99fa49f8c5f83fdf9840552995d02
Instruction Fuzzy Hash: 3E126D30A10258DFCB54DF68D884ADEBBF2BF48318F14A569E4499B7A1DB30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0550 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e286cd2fe2afd9f2d77c25af683f895a5b88cf170b2152c0ce837dfa40ae8e3
Instruction ID: 97d8971bd1165355c442a2375e49a5b83f5c209637540d38fece5d4635c04ddb
Opcode Fuzzy Hash: 4e286cd2fe2afd9f2d77c25af683f895a5b88cf170b2152c0ce837dfa40ae8e3
Instruction Fuzzy Hash: 31F1C975D1061A8FCF10DFA8C854AEEB7B5FF48300F1096AAD559B7214EB70AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBCA70 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819acecc29a53a99795dd9457a9b72745cb051d9f1a04a0b2dae98fe88822d0e
Instruction ID: 76b34096a09e4a36ff7517a5c74967875c6dd467a24d68c5f988177108cdab2b
Opcode Fuzzy Hash: 819acecc29a53a99795dd9457a9b72745cb051d9f1a04a0b2dae98fe88822d0e
Instruction Fuzzy Hash: 63B1C230A04355DFDB40CBA8C849BEEB7B2EF45B04F24A126E5069F2E5DB749D81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 06EB5038 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b593763f502c4420d5508f3858ce86aee2386d97b80cadaa25340eaf852acbf5
Instruction ID: 552c086254e5e4fba7a47be10ca83db37e345e79247091f7180d357d4a821eff
Opcode Fuzzy Hash: b593763f502c4420d5508f3858ce86aee2386d97b80cadaa25340eaf852acbf5
Instruction Fuzzy Hash: CD91C330B05705CFDB94DFA8C8849EEB7B2BF89218B19A16AD416DB361D731DC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0FE0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89412459c03f5a3296f03e687ac5bf6e793079d5a6086e272c84377fe33d03ef
Instruction ID: 67a429aa64c736b1154852092b1c88a4c2c3d49e88d9d2255ec4a957e186fc01
Opcode Fuzzy Hash: 89412459c03f5a3296f03e687ac5bf6e793079d5a6086e272c84377fe33d03ef
Instruction Fuzzy Hash: C1A1E635910619CFDB10EF68C850AD9FBB1FF49314F05C699E549BB215EB30AA89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB49E8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba29f7b594bbf90f336997a3592ca2d4bacfbf68626b1f2a2edd6137e23df36f
Instruction ID: fcb8cd7cbdf64038b81ef122ac7411eb1ee1e31373909a68cbd49acec5d89322
Opcode Fuzzy Hash: ba29f7b594bbf90f336997a3592ca2d4bacfbf68626b1f2a2edd6137e23df36f
Instruction Fuzzy Hash: 3781CF30B00214EFDB54AF60C888BAE7BE6EB88744F049028F9069B3C9DF749D55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06EBE270 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bff568fdd2b37e2ac4e0dee758297a5d8a26835d057730b5d2a2a5c57438cec
Instruction ID: 07ffb060dad7d9bd37d9537ac1ba73d776176bd792397a02ee22d5c38c87173b
Opcode Fuzzy Hash: 2bff568fdd2b37e2ac4e0dee758297a5d8a26835d057730b5d2a2a5c57438cec
Instruction Fuzzy Hash: 6271B530F10314DFEB548B94D4557EEB7B3AB883D4F146529E506AB390DB748C82CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06EB7C88 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa1677f82d040c24419682b923bef2f2828546e0694143554a02146523b4928
Instruction ID: 4b99e68ffdb89e654697211e7815c0408dc176166fe4ff191dd223c834a605fe
Opcode Fuzzy Hash: 3fa1677f82d040c24419682b923bef2f2828546e0694143554a02146523b4928
Instruction Fuzzy Hash: 95711734B102058FDF55DF28C894AFE7BE6AF89244B1960A9E816DB7B1DB70DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB9D90 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e4db4d8bb55fc798a6d6fe0f577948a8c649796b37e44412796deedf5ca889
Instruction ID: 76f6c7b6e80f835b6eb98aa45f125e0ab3547bce5f25eaf8bc28bd89b8c01c3e
Opcode Fuzzy Hash: 46e4db4d8bb55fc798a6d6fe0f577948a8c649796b37e44412796deedf5ca889
Instruction Fuzzy Hash: B0619230B102068FDB549B69C8916FFB7F6AF86314F14A069E502DB396DA38DD4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 06EBEC58 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ceb4ec01f9cad06875dba1e2067cd4f591704d0eb652e595b72c2624c7f1c35
Instruction ID: 6aa2051fadd8719a15ee006639bd54adaae1fdafea9d57bf016c7452d2a6aa6b
Opcode Fuzzy Hash: 5ceb4ec01f9cad06875dba1e2067cd4f591704d0eb652e595b72c2624c7f1c35
Instruction Fuzzy Hash: 74619D30B102149FCB549F68D454AEE7BF2AF88655F156069E802AB3A0DB71DC51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EBE260 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f6b6a5033a2bbff7afbdc1c08b4134d6acd79cbed4b256145731e7ded9f2fe
Instruction ID: 08be4a6a1bf6564a00d15a05cb2d58eb731456edc874bba7c66402898b03dfdc
Opcode Fuzzy Hash: 07f6b6a5033a2bbff7afbdc1c08b4134d6acd79cbed4b256145731e7ded9f2fe
Instruction Fuzzy Hash: C561B530B10314DFEB548BA8D455BFEB7B3AB88394F147529E106AB390DB748C81CB96

Uniqueness

Uniqueness Score: -1.00%

Function 06EBF080 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e15b9cb5e88958055ccf4c7ae72ad8e3022b1139b1e9665aa8bffc6692ca6f1
Instruction ID: 63b41af2357a475a8dfc170a684d377b652d19b246bf759e3b60e8025a622cff
Opcode Fuzzy Hash: 4e15b9cb5e88958055ccf4c7ae72ad8e3022b1139b1e9665aa8bffc6692ca6f1
Instruction Fuzzy Hash: 0B51CF75B0034A8FCB94CFA8DC849EFBBB2AF85314F09A469D505DB262DB30E845C791

Uniqueness

Uniqueness Score: -1.00%

Function 06EB9B30 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb48496932044d1f870d24028492c475aede35ae3923de74d29b3fdb73eeafe
Instruction ID: c1a94dc8eadad5cabb92484c3b03d7f795a74fe4b8941a0f3ba2a758f5f24dc8
Opcode Fuzzy Hash: cdb48496932044d1f870d24028492c475aede35ae3923de74d29b3fdb73eeafe
Instruction Fuzzy Hash: F4519030A043498FDB51CF68C884AABBBF6FF4A314F1494A6E945CB356D731E815CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0FDD Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d809a1d75bb15f39bc0767bc671d1f621b3397c4fb86add67bab2463c7e1790
Instruction ID: 74ed35b1386f9a6a6446c1a9da761f0e17047a7c9623290a9baf228e8a948fbd
Opcode Fuzzy Hash: 0d809a1d75bb15f39bc0767bc671d1f621b3397c4fb86add67bab2463c7e1790
Instruction Fuzzy Hash: 5A71F471900619CFDB14DF68C890AD9BBB1FF49314F05D699E849BB315EB30AA89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0C30 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a195146159dae24a2bbfa8fce312fcd0a04c64359987e8f1b33a940daac5154
Instruction ID: 7aa85c628f8f8dd7cdf554ce8ba75ffd7a943ca5aa5f8eda9714bd99a8159a73
Opcode Fuzzy Hash: 0a195146159dae24a2bbfa8fce312fcd0a04c64359987e8f1b33a940daac5154
Instruction Fuzzy Hash: 8C515275D102099FDB54EFA8D9808EEF7B5FF85310B14C65AD815AB214EB30BA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB698 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef20cc7545882e8eab3fe11c3507b44bc9d8fdd75ae6c1b02b6a4389585b794
Instruction ID: 926f0c78eaafb54b523ee43560b38f379885513990cf625bca67026690f0e62a
Opcode Fuzzy Hash: 6ef20cc7545882e8eab3fe11c3507b44bc9d8fdd75ae6c1b02b6a4389585b794
Instruction Fuzzy Hash: 9451BE30F003119FEB549B68C855ABEBAF2AF85345F10A16AE406DB3D5DF748C41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB688 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2cdc81f95f07d6ec5eab46778b4c7de7700a483d120cdfba1117995aae782d
Instruction ID: ad6ed2d13387a9fa5668f2b080cea2147dcb821264b454efaf706e8e83d0dd38
Opcode Fuzzy Hash: 4d2cdc81f95f07d6ec5eab46778b4c7de7700a483d120cdfba1117995aae782d
Instruction Fuzzy Hash: 6D51AF30E10311DFEB54DB64D849AFABBB2EB84305F00A16AE5069B3D5DF748D51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB4CE0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb0a9e1ab052ba409306bbaf952edd930b54e7a953acc2e4119b674ae28bb93
Instruction ID: eff4bd0943ceb6c7375669f9bfa76534a5ca3892604e6c34e9d35c373d80b2aa
Opcode Fuzzy Hash: 4cb0a9e1ab052ba409306bbaf952edd930b54e7a953acc2e4119b674ae28bb93
Instruction Fuzzy Hash: C9419E30700214DFEB65AB7494947BE76E7AFC9248F04942DE5468B3CADF788C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3C00 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919cb9a4a98e621baf2dc00348c498533897ac3638b8ebce2d723a3a1311133d
Instruction ID: 27bf083a70607d8da7e798b39f215de71fdad9c27b2b0cc86c3b636e3a01d6ee
Opcode Fuzzy Hash: 919cb9a4a98e621baf2dc00348c498533897ac3638b8ebce2d723a3a1311133d
Instruction Fuzzy Hash: B651CF74E002189FEB14DFA5E845BEEBBB2BF89304F109129E415BB294DB745A55CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06EB30B8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfac6f49d3c95ac67ecaaf72145322a206669ea473273e6a177f90921e5df5d
Instruction ID: 4e4f92ed756b40898b34977b3caa08709c5b748fd9be18661ab014ef27f7466a
Opcode Fuzzy Hash: abfac6f49d3c95ac67ecaaf72145322a206669ea473273e6a177f90921e5df5d
Instruction Fuzzy Hash: AA51AE74E002099FDB44DFE9D945AEEBBF2FF88301F15902AE819AB264DB345945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBF3BF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e177126b1f61e2ad994ff0e5ac2b899598a63b40d6df96d184f918971631c1
Instruction ID: 0e0fd91d1132e3bdf60bec24b68b01f458d3c61b4558d00da5bfa43156a157f2
Opcode Fuzzy Hash: 29e177126b1f61e2ad994ff0e5ac2b899598a63b40d6df96d184f918971631c1
Instruction Fuzzy Hash: F3415830A10219AFDB14AF64D845AEE7BA6EF84308F049429F8029B794DB34DD96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB470 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9fc041cdab518f93c90efebe185593188a383e50d6dac959435a8e119a2294
Instruction ID: 3dd7658e477f804f9c05f7799f9296b1a83033fef36084d2da4caab3948b199f
Opcode Fuzzy Hash: 7d9fc041cdab518f93c90efebe185593188a383e50d6dac959435a8e119a2294
Instruction Fuzzy Hash: 5F419B756002159FDB959F64D844BEF77E7FB88308F05A428E80A9B394DB34D805CB96

Uniqueness

Uniqueness Score: -1.00%

Function 06EB6E28 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423fe026db434fa0bdca01a7a7f9ab80e9441d26403fa32354a0051d35988c5e
Instruction ID: 6e88e5128c465db019fd99dfc5655890baa0c24a2bd661665ae938c21e3d5d0c
Opcode Fuzzy Hash: 423fe026db434fa0bdca01a7a7f9ab80e9441d26403fa32354a0051d35988c5e
Instruction Fuzzy Hash: FC31FE31700204AFDB159B64D894BEE7BB7EFC9250F14806AE506EB390CF359D16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB8EB0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6541d3b788ca13d1189e49aa7eedd3262dcdd833edd5515e11f2c0a0a849758
Instruction ID: b8ff70952bc87b009861df45489056a457c1ee1fcf22673425a2904bbaea4f0f
Opcode Fuzzy Hash: d6541d3b788ca13d1189e49aa7eedd3262dcdd833edd5515e11f2c0a0a849758
Instruction Fuzzy Hash: 8B31AD307143198FEBA59B64D8946BF766BAB85368B29746AF006CF391DA24C880C791

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB199 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db9dd392a8add03cadb3c8e4a5dc18a285e29085a3831e160a5750b2af02054
Instruction ID: 570b361b39cc74c3c6fa3634d542a8590a1feccdbb10a3337dd2e7452fbc37c2
Opcode Fuzzy Hash: 8db9dd392a8add03cadb3c8e4a5dc18a285e29085a3831e160a5750b2af02054
Instruction Fuzzy Hash: A641E371E00208AFDB08DFA9D944ADEFBF2AF89314F15D069E518A7261DB3199418B61

Uniqueness

Uniqueness Score: -1.00%

Function 06EBAC10 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8846ac9b77412c47b209d58e435aa62b4b5a31f6e48ecd6d02ed4aa2de64d6ad
Instruction ID: d816f2638c8ca004f1c32d30ff2bbdcb19cb01aad4c38fd7289b6e9ea81209d3
Opcode Fuzzy Hash: 8846ac9b77412c47b209d58e435aa62b4b5a31f6e48ecd6d02ed4aa2de64d6ad
Instruction Fuzzy Hash: A3318A31E042188FDB04DFA8D854AEEBBB5FF89314F1560AAD105AB2A1DB359D45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3DA8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dcffba4f35104d2a0a68eedf170c3034815bf3e7e22e492bcf78ca826f37df
Instruction ID: 8a66f9e0dfbf1f798cd19a3479bae27b0d2ad7265dce178e2044f2f64332201f
Opcode Fuzzy Hash: 92dcffba4f35104d2a0a68eedf170c3034815bf3e7e22e492bcf78ca826f37df
Instruction Fuzzy Hash: 83315E31700309EFDB15AF64D986AAF7BA2EB84314F409029F9059B394CF75DD65CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB7F30 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a644181d1490cb855ff435c9a38d3845393b3479b05ebfbdd295e17ee8bb2d84
Instruction ID: 4d4250277beb6788077168e7f903cc9299dd40089131c2a36e0319a2b6c704f9
Opcode Fuzzy Hash: a644181d1490cb855ff435c9a38d3845393b3479b05ebfbdd295e17ee8bb2d84
Instruction Fuzzy Hash: 8B21BD307213148BFF641A3598946BB769BAFC025CF24A039E402CFB94EE7AC842D795

Uniqueness

Uniqueness Score: -1.00%

Function 06EBAD29 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ec044617b722658b45da32a5c4fb01afb7deb0379ddd3f9f9b138583d6d760
Instruction ID: 7e8bb12f04c2b981e0d4931a33fe5a9610fbc3e8a69a27e55c3bc27d54c63697
Opcode Fuzzy Hash: d7ec044617b722658b45da32a5c4fb01afb7deb0379ddd3f9f9b138583d6d760
Instruction Fuzzy Hash: 1331F275E002189FDF04DFA9E4486EEBBF1FB49349F10A129D511B7294D7788A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB060 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f9ebf147feeaeb3523f0e6c17d280d40b24d280ef2d9c179562076741a9a84
Instruction ID: 24378688bc625775c6ebe7d0ed0707b33cdb7b4225a63640debccf6bd2a2baed
Opcode Fuzzy Hash: 92f9ebf147feeaeb3523f0e6c17d280d40b24d280ef2d9c179562076741a9a84
Instruction Fuzzy Hash: 81310774E002189FDB08DFA4E8446EEBBF2FB89314F109129E815B7398DB745A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EB1970 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5280cd43b6c95e969a10e1f0843cc68d45fcd1bd63ed5eaaabce3fb816da829
Instruction ID: c769bb10bd65c4eb509cf109be9f3319521b84927b3d5cdcab8113a20aa6320d
Opcode Fuzzy Hash: d5280cd43b6c95e969a10e1f0843cc68d45fcd1bd63ed5eaaabce3fb816da829
Instruction Fuzzy Hash: A3312F35A10219DFCF04EF98D884CDDF7B6FF89314F058659E5056B220EB70A94ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB2D8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863d29d398f29ca11bbcf16c2504693238d850cc7b04dc81660c4acdfe054c34
Instruction ID: dd81cb0f2048de15f69cddc34c9aa1601e2adcc7330e5aae121991361e03949f
Opcode Fuzzy Hash: 863d29d398f29ca11bbcf16c2504693238d850cc7b04dc81660c4acdfe054c34
Instruction Fuzzy Hash: B231A031600219EFCF859F65D884AEF7BA6EF88310F54A025FD158B258CBB0C961DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB9F0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624acba9f5c0886ebf657eea0d43aa38d4f80a58b420a3fe158837f0bc1fd431
Instruction ID: f44ba6e3f2d77d6bdb76abb088e6ebe024f13ea62832f115e34bcc36d2c9ca52
Opcode Fuzzy Hash: 624acba9f5c0886ebf657eea0d43aa38d4f80a58b420a3fe158837f0bc1fd431
Instruction Fuzzy Hash: A321FF74B013055F9B15EB798C584BF76BBFFC8258B64582DE416E7340EE348D0686A1

Uniqueness

Uniqueness Score: -1.00%

Function 06EBE9F0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c44a679673c7cf998342d0c12519602ee1eb1be7a6736194febab9fdae37a90
Instruction ID: 7e7f38e87448fd9e3cb037fadfca5e328c22e63f71b1b816896dd7957115bd0f
Opcode Fuzzy Hash: 9c44a679673c7cf998342d0c12519602ee1eb1be7a6736194febab9fdae37a90
Instruction Fuzzy Hash: D2215E31A04206CFDB948F99C8416EFB7B9FB46390F04B636E515E7240D338A951CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0096D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265534110.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b030f4a30a2ca4675e2ede68e72bff048f0f9b06fed52523f214daeba9934bb
Instruction ID: 9faf391c2908e410b0d8a931e2382b91d7932402cc6bdcd3c62d3e10f76cbf05
Opcode Fuzzy Hash: 8b030f4a30a2ca4675e2ede68e72bff048f0f9b06fed52523f214daeba9934bb
Instruction Fuzzy Hash: 86210671A05240DFDB00DF10D9C0F66BB65FB94324F24C969E8054B696C73AEC46C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0096D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265534110.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739248c38994e5794e9075c209510150a05ebe4d0432f81738952d19b5f170b9
Instruction ID: e55b32d437e8be5496f3a3de550afb20527dea2c860396a4ead8fceb7bf03c4a
Opcode Fuzzy Hash: 739248c38994e5794e9075c209510150a05ebe4d0432f81738952d19b5f170b9
Instruction Fuzzy Hash: 15213A71A04240DFDB11DF14D9C0B67BF65FB94328F24C569E8060BA5AC33ADC45D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06EB4EA0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5d138a6f24e72c41c3c531966d3dc55dd2e58befc134b22e64a5924e986f81
Instruction ID: 8066f9cf145806f78e05db46f5848b0f8f4f335533da5aaabb632479d4bfa322
Opcode Fuzzy Hash: 5a5d138a6f24e72c41c3c531966d3dc55dd2e58befc134b22e64a5924e986f81
Instruction Fuzzy Hash: 0121BB35700710DFD728AA29D49596FB7E2EB89758755A068E8069B399CF20DC01C790

Uniqueness

Uniqueness Score: -1.00%

Function 06EB2138 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9336b1afafdcb3477625f1835d0f17e7229fec6d73a7ed1a82a700957527db78
Instruction ID: 0f9cfd4606ba95486dce1fedfc2640fc08fccc825add540a61204686dcfe8f33
Opcode Fuzzy Hash: 9336b1afafdcb3477625f1835d0f17e7229fec6d73a7ed1a82a700957527db78
Instruction Fuzzy Hash: C4213771E0421A8FCB40DFA8C841AFFBBF5AF49311F14416AE624E7291E7359A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265561415.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb4406816144d8f1ad20ad33233eb61ec8e1a8196b560d45a5309b7bcbfbde2
Instruction ID: 65d46ce7bd446f22e82fe9eed45f9d1c911886acae0d52cb5dba0c666e1abfac
Opcode Fuzzy Hash: bcb4406816144d8f1ad20ad33233eb61ec8e1a8196b560d45a5309b7bcbfbde2
Instruction Fuzzy Hash: 3A21B076604240EFDB05DF10D9C0B26BBB5FF84328F24CAA9E8594B656C33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0097D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265561415.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79010c769b22e36357feb54f5523405e4b458c5af407da6c309cbe665a3b42fe
Instruction ID: 4e04688b913c8eda82be45fccfa68144caf81b91d3b5dc3b5f07f4e83e39bf98
Opcode Fuzzy Hash: 79010c769b22e36357feb54f5523405e4b458c5af407da6c309cbe665a3b42fe
Instruction Fuzzy Hash: 9021F276604240DFDB14DF10D9C0B26BB75FF84324F24C969D80D4B746C33AD846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3AFD Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03591e2b213475cb1f09553930828062df0a04a10d7f690d40c4497929304996
Instruction ID: 369b9953489049a9442acdebc741bf4cad05832f0e5ea9b2ab6cff27417dc08c
Opcode Fuzzy Hash: 03591e2b213475cb1f09553930828062df0a04a10d7f690d40c4497929304996
Instruction Fuzzy Hash: D5215774D09719DFEB54DFA5D8967EFBBB1EB49214F00612AD012B3298DB740A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB8D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2364b634eeb80d27a5f5d64a63c02c3d318ed00fbcd5417973260cd175c36b91
Instruction ID: 7361079571a7add5f791f3390ac4d32f65334e7601a2c38bdb3418c4f72ec22a
Opcode Fuzzy Hash: 2364b634eeb80d27a5f5d64a63c02c3d318ed00fbcd5417973260cd175c36b91
Instruction Fuzzy Hash: B821B73250C345CFF394866ECC503E77B65EB52350F047577D1E6C7291DAA49841C392

Uniqueness

Uniqueness Score: -1.00%

Function 06EBEB68 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aecf3f74bac2257be529560da866b401c507665ee741877e80150c9454e945
Instruction ID: d3b7d3a1bc6d2a004f8d7448284dfe9444e8937220718b682056e9e838c71b21
Opcode Fuzzy Hash: 32aecf3f74bac2257be529560da866b401c507665ee741877e80150c9454e945
Instruction Fuzzy Hash: 1A21AE30614204AFEB54AB708C45BFE7BB7EB89340F10C469F506EB2C4DE359E168B91

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0318 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d50455daa3355d731494cd4a71c059320da934e39cc0d47d589d7af67c72847
Instruction ID: 4ab1f3b1e228babf2d0ed42d212d09d883428d913ad8f057f87802d3ac2ac5f7
Opcode Fuzzy Hash: 7d50455daa3355d731494cd4a71c059320da934e39cc0d47d589d7af67c72847
Instruction Fuzzy Hash: A2213D75E1060A8FCF44EF69C8848EFB7B9FF88300B519669D905B7351EB30A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBBDB9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e7a61fbca1b45cc35cf92b3cf20f06074f98099350fc2d515bb4ae6a76bfc0
Instruction ID: cf242f32947ce17e2f6e859b3640b11ba44abcfcc958efa42994350baa407611
Opcode Fuzzy Hash: c4e7a61fbca1b45cc35cf92b3cf20f06074f98099350fc2d515bb4ae6a76bfc0
Instruction Fuzzy Hash: 73112771B042049FE7849B78E8516AA73B3EB88209F00646AE206DB390DF78CD458B92

Uniqueness

Uniqueness Score: -1.00%

Function 06EB7017 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e36564636acf12790ff280ac198dde45daaa7adff05fce81a7b2608bc143b0
Instruction ID: f1b82384bf4cfebedacd79f71e963246ec5b7fbef9686597a9cc6142cf79098d
Opcode Fuzzy Hash: 95e36564636acf12790ff280ac198dde45daaa7adff05fce81a7b2608bc143b0
Instruction Fuzzy Hash: BA21A170E043198FDB04CFA8C8856AFFBB2BF85314F15919AE515AB6E1DB359C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBD988 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119f69fbb81fa953cb04696e673b846bb1f1a4aaa94e436eaca5d7ee929e8f5d
Instruction ID: a2875dfc62897a5af99813de70455898bd8c179c9dbff1b175a8cc05d768b57e
Opcode Fuzzy Hash: 119f69fbb81fa953cb04696e673b846bb1f1a4aaa94e436eaca5d7ee929e8f5d
Instruction Fuzzy Hash: 1F21C032A04604CBEB90CF6DDC547EBB3A5FF84719F04A526E569C7291D370E940CA92

Uniqueness

Uniqueness Score: -1.00%

Function 06EBBDC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdb1cde1785a2b4fcb649ad0f2de72e9ce8b94d58baa95c46cca3130ce19c9e
Instruction ID: 47502b2ac6107a1e39b8146adaf61a1b7c50ee5f5f3c27cfade7caff7753fabe
Opcode Fuzzy Hash: 7fdb1cde1785a2b4fcb649ad0f2de72e9ce8b94d58baa95c46cca3130ce19c9e
Instruction Fuzzy Hash: 51112970B042089FE7949B79E8146AF76F7EBC8218F105069E206DB3D0DF70CC4587A2

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3B31 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5152eecf4d634801d8c6fe5383098fd9104added416ffbf8357b8702fda844e9
Instruction ID: 55ad5889e3a57a521f0fede7d9872fff79fb21a3dff0036d8e3b10f7d52c9d63
Opcode Fuzzy Hash: 5152eecf4d634801d8c6fe5383098fd9104added416ffbf8357b8702fda844e9
Instruction Fuzzy Hash: 2E216774D04219DFEB04DFA4E859BEFBBB5EB49304F00616AD011B7294DB791A58CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EB9719 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39df8ab5e073fa12736ccb019fe2ea88e45f359b4a6f2e1983d3a56afb7ff9f9
Instruction ID: 83df6b89f6701dffd624d2eb37948c6961fde35d65d72b58a1d94a13245ff596
Opcode Fuzzy Hash: 39df8ab5e073fa12736ccb019fe2ea88e45f359b4a6f2e1983d3a56afb7ff9f9
Instruction Fuzzy Hash: 4F216B34E01258AFDB19DFA1D550AEEBFF6EF89204F24A069E441B62A5DB709940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06EBE8C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4412a7257fd2b5e351ce67668231aecdda2b3c7e2df427be9b578c6cdc206696
Instruction ID: 799383bd843e53bdad99c731e8c68e96d77da3a522be2aaae4228a4d5281baf1
Opcode Fuzzy Hash: 4412a7257fd2b5e351ce67668231aecdda2b3c7e2df427be9b578c6cdc206696
Instruction Fuzzy Hash: A7116D72E04609CBEB809FADD8806EBF6A1FF44390F44653AE116D7380D33599499B92

Uniqueness

Uniqueness Score: -1.00%

Function 0097D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265561415.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26ec4c4c23564b9cc1c8b0bf5eaac07f6b2b34f2f35a332462b16007f21afc7
Instruction ID: 5f6f9055a608800e7b11d451078a9ea4ff51386238021f7d4b14ed1755586d6a
Opcode Fuzzy Hash: e26ec4c4c23564b9cc1c8b0bf5eaac07f6b2b34f2f35a332462b16007f21afc7
Instruction Fuzzy Hash: 5D214F755093808FCB12CF24D994715BF71AF46214F29C5DAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06EBEC49 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ee8733e9e8a0e2a42e2cda9f627aa7e46e34be6ee539dc97c716866fd4e527
Instruction ID: 5f9d798c087a831053d4d1d353155ddc1414535910de44e78707606379dcb2ce
Opcode Fuzzy Hash: f8ee8733e9e8a0e2a42e2cda9f627aa7e46e34be6ee539dc97c716866fd4e527
Instruction Fuzzy Hash: 7D210535A10208DFCF14DFA4D545ADDBBB2EF48351F146429E901BB2A0DB719D60DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3B2C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0db862ca078971b922c9fc96f995dc41c319331f15c787d0a7a6396c5f4ec9e
Instruction ID: 21eed6025930a82ecd030903cd0215e20c9bfa2a491240d7d07b773951beafc1
Opcode Fuzzy Hash: c0db862ca078971b922c9fc96f995dc41c319331f15c787d0a7a6396c5f4ec9e
Instruction Fuzzy Hash: FD214475D04219DFEF04DFA5E8857EEBBB1EB49304F00612AD012B3298DB781A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EB1640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417e650c9416560f8be85bccdecc6278210e0e9fdc6a3670261d2b28e3931fb5
Instruction ID: 24c1349afd2f80ed57ac9a77b5e6a0cca1fa626a472e4a102b60374e0bbddb00
Opcode Fuzzy Hash: 417e650c9416560f8be85bccdecc6278210e0e9fdc6a3670261d2b28e3931fb5
Instruction Fuzzy Hash: 46212E31E106088FDB04DBA8C894ADEB7F1EF88320F149269D515B7354EB30AD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3DA7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f045e1b3ddb429be9f38b3978458f7ef8c5616e4ac47ecb6e06be812cdba33aa
Instruction ID: 90843bb8ce0914907df548755995d960493d38541def8ff6d9aedc590b2cf80f
Opcode Fuzzy Hash: f045e1b3ddb429be9f38b3978458f7ef8c5616e4ac47ecb6e06be812cdba33aa
Instruction Fuzzy Hash: 67118E31B04319DFEB15AF24E546BAF3BA2EB84318F40A029F905AB355CB74DD55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBAC60 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b753c8f4ebf8d774f15e411078a7c3ca901af9bda757cb246fb141708f113ce0
Instruction ID: 2e4afb3fbf45cbff1512b16fd3a586de5403e91cc35eefaa63592999e6d72719
Opcode Fuzzy Hash: b753c8f4ebf8d774f15e411078a7c3ca901af9bda757cb246fb141708f113ce0
Instruction Fuzzy Hash: 0A114671D042198FEB04EFA4D8187EEBBB2FB49305F04A16AD011B7294DB781A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBC8C0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb851d1475bd049597ad7014b67d84362e9041886ce96d81b4aabcbb328f060
Instruction ID: 1f85d005f415f493fe7e1aed9ac155a40b47527c56c4c8c38b53b5939b409268
Opcode Fuzzy Hash: afb851d1475bd049597ad7014b67d84362e9041886ce96d81b4aabcbb328f060
Instruction Fuzzy Hash: 72114F31F102158B9B54EBB898115FFB6F6AB89759B20113AC505EB340EB35CE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3651 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7277b34ed3599e2e9940da23c1c8eba41925f503e76fc1620164387d4e0d4b3
Instruction ID: 19e5e82a4575c3f05fea5278c4ec05245b4f087fb530f1963a58b39579fada29
Opcode Fuzzy Hash: b7277b34ed3599e2e9940da23c1c8eba41925f503e76fc1620164387d4e0d4b3
Instruction Fuzzy Hash: 72210374E10209DFEB08DFA4E4456EEBBF1FB48304F60912AD505A7398EB755A94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0096D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265534110.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: c22c4413675e7cea01de26b398e1df1042634f6a1090b90ba4151a33d6739c17
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: 4311E676904280CFCF12CF14D9C4B56BF71FB94324F24C6A9E8054BA1AC336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0096D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265534110.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: 927d6a54b6cd859db353e8c301560dee9239be0a4bbcbe3c1d743ee2ffa92aab
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: B611B676905280DFCF15CF10D9C4B16BF71FB94324F24C6A9D8454B666C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265561415.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43bc81a3ff9705b917d63333e3be4ed1b9938392dd5ea36af53da639c8dcacc
Instruction ID: 56d4b8831b3b4811f56d9470af01f1b132a2415b627a06c9df528ae48ca8c42c
Opcode Fuzzy Hash: e43bc81a3ff9705b917d63333e3be4ed1b9938392dd5ea36af53da639c8dcacc
Instruction Fuzzy Hash: D7117976904280DFDB11CF10D5C4B15BFB1FB84324F28C6AAD8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 06EBDA06 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e690c7e04b44a737df1dc36c06f752ef86dc6cb521ed2d7b48c121f76ef8cfb9
Instruction ID: 9e63ba16908bc0f1d1fb57055c87ca152a5b308743f558efb3af68b66d5a0e4d
Opcode Fuzzy Hash: e690c7e04b44a737df1dc36c06f752ef86dc6cb521ed2d7b48c121f76ef8cfb9
Instruction Fuzzy Hash: E811AD72A04600CFEB908B68DC50BEBB3A1EF40719F05A926E469C7292E370D910CA41

Uniqueness

Uniqueness Score: -1.00%

Function 06EB3B25 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca51c0d9b6e760b809ade0853c9e5740bfaf4b2c2f471031e4a0e3b6b99c2a8
Instruction ID: 83dfa57bd2fc14dbd2d723a09136bf07ac645e53dcf91da1474dcdfc29455535
Opcode Fuzzy Hash: eca51c0d9b6e760b809ade0853c9e5740bfaf4b2c2f471031e4a0e3b6b99c2a8
Instruction Fuzzy Hash: F3111574D00219CFEB54DFA5E8867EEBBB1FB48308F10A02AD015B3298DB780A44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB3E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372b8e892d96bdf389c8059971fdfe17e767da5870e09f9456d78a03fa55edb6
Instruction ID: 87f7f34237839f246d0e2b775317e1f5ea77814c5f9d07de1c1105e2afa83618
Opcode Fuzzy Hash: 372b8e892d96bdf389c8059971fdfe17e767da5870e09f9456d78a03fa55edb6
Instruction Fuzzy Hash: D801D632B001156F8B559E65A850BEF3BEBEBC8690B589029F505DB280DEB1CD1297E0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB3D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c1880ee8807e70fb3ce3dc1d818de3d3ed9d752c51f626b379c79659d0329f
Instruction ID: 7c6f0b53d796b98dd67d5528e35e104cf9a8ed7f70c9f0d69f81b20041ffe7f5
Opcode Fuzzy Hash: 48c1880ee8807e70fb3ce3dc1d818de3d3ed9d752c51f626b379c79659d0329f
Instruction Fuzzy Hash: 9C01F272E042566FCB429E50A800BEF3B66EB893A0B188026F504CB151EA758A128BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0096D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265534110.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6617525f3cbdc7f1f9fdb2c9317c6c20b736a420392f5f9938f7f61a9e2490
Instruction ID: 0c5b2cb26c821f3fa8c63e59eb7fd31b2a7c9321cdbcb7be33709eb2cf21cc15
Opcode Fuzzy Hash: 0a6617525f3cbdc7f1f9fdb2c9317c6c20b736a420392f5f9938f7f61a9e2490
Instruction Fuzzy Hash: 75012BB1A09380AAE7105F11CDC4B66FBDCEF42374F18855AED294BB42C7799C44CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 06EB9D09 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1289d2fe054a8cfc56f8786b4612621f99b4f1bb2a3acca52d9c076bf30537b
Instruction ID: 4309bf23c8272ea199642401f336f4d2b40ac2f3efdccc3f9ca864a7783fce64
Opcode Fuzzy Hash: b1289d2fe054a8cfc56f8786b4612621f99b4f1bb2a3acca52d9c076bf30537b
Instruction Fuzzy Hash: CEF0A4353002082F9B5417AED8909BBBA9BDFC92B1B045029BA0ACB391DE618C51C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0096D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265534110.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c7b336f8b1b59184dd192ea7caeb5a836e1b6412134e9189cd6f7ea6ae05ff
Instruction ID: cea45be8f0343eef4c1358c6fa86167e1f1c26be779553db9640809d76602136
Opcode Fuzzy Hash: 36c7b336f8b1b59184dd192ea7caeb5a836e1b6412134e9189cd6f7ea6ae05ff
Instruction Fuzzy Hash: EDF0C272905284AEE7108E15CCC4B62FFACEB81334F18C45AED184B686C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB1310 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e83c92a2eda4b62fb950fb91a1bd3cdc643422b9b02adfdd497222b0ba01bc4
Instruction ID: d32dbdf19637de7fbb539f60f6f7b2989c40fbbfd59c1388e6c03ed84236c208
Opcode Fuzzy Hash: 7e83c92a2eda4b62fb950fb91a1bd3cdc643422b9b02adfdd497222b0ba01bc4
Instruction Fuzzy Hash: 41F01D76700219AF8B059F95E8449AEBFEAFB8C320710803AF919C3311DB758C21DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 06EB323C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f36394da44d5a565bc6a378eeca90e504b6a831c66f22be8d94e3a5d4046371
Instruction ID: 7e38d62d6fecae75966302b594aea698afcf42d9dc4743fbb2c43cb865cdc593
Opcode Fuzzy Hash: 2f36394da44d5a565bc6a378eeca90e504b6a831c66f22be8d94e3a5d4046371
Instruction Fuzzy Hash: 3B0114B5D083988FDB40CFE8D8565EEBBF1FB59311B00506AD45AEB660E7345905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0E88 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b8cc27748e55e90bde24d52a0d2c8004549a3b867957c2048f79ad8f6f78df
Instruction ID: d0183def858dc052232894d1f67911ddb8fcabf905ccdeca25d6d6c173c876e9
Opcode Fuzzy Hash: 40b8cc27748e55e90bde24d52a0d2c8004549a3b867957c2048f79ad8f6f78df
Instruction Fuzzy Hash: C5F0B432900B1587C710AF6CE40458AF7B4FF91321B408A3EE58967200EB32A998CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0EF8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407c4b0ea6768d57cb01819bfe3767dbb5b572686072d2245a0bb6821f401d7b
Instruction ID: 0d2942513729609187bfba005af03455060ea5f76ba1ef2b84203c2f448e2e6b
Opcode Fuzzy Hash: 407c4b0ea6768d57cb01819bfe3767dbb5b572686072d2245a0bb6821f401d7b
Instruction Fuzzy Hash: A5F065367107104FC7245AA9E504B9773A9DBC5A69B15507DF109CB360EA75EC42C790

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0E20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6fb3795bb5e6eb384142fd29d4cbf910b13eb175f8c18c0e528d223692ed2a
Instruction ID: c4a0187899ed9ae14a0313f65b881865bd8d2e791892b1e1383206d9b9c22927
Opcode Fuzzy Hash: 2e6fb3795bb5e6eb384142fd29d4cbf910b13eb175f8c18c0e528d223692ed2a
Instruction Fuzzy Hash: A5F01D31E107199FCB40EBA8D8004DEB7B5BF99210B00DA26D969B7200FB306A598BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06EBF070 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86e317db193ffd9d15870ece10b5328c59252b5e67b04121e37c419597214da
Instruction ID: 1cfbeb4a13123cf45652b46a12f1cf392d451f4eedf8a100f7bc4c9e4befa48a
Opcode Fuzzy Hash: e86e317db193ffd9d15870ece10b5328c59252b5e67b04121e37c419597214da
Instruction Fuzzy Hash: 45F02B32D243859FCB115BB4ED899E6BF78DF15165F045977D941C2092D7308029C750

Uniqueness

Uniqueness Score: -1.00%

Function 06EBC913 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1c9e318fd7a776e6a035e9a89c1e0783c907f88f8399c8820c0c1036bb8bbf
Instruction ID: b5bad51b896885092f6ed32877c61a8e514bcaffe8f60784aaa6ffaaf22b9d8b
Opcode Fuzzy Hash: 0f1c9e318fd7a776e6a035e9a89c1e0783c907f88f8399c8820c0c1036bb8bbf
Instruction Fuzzy Hash: 67E0E536F102148B5744A27884101FFB2A75BC5698330112AC505AB304FF35DD438B92

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0430 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d353da5afe4918fb19c4aa89beb8cfc91874eabf27634185a7a4ed46a66a7b9
Instruction ID: 8bd64ced4ea8078d2258885954c10ec2287f5ce40aa9354b159ae6513406461d
Opcode Fuzzy Hash: 1d353da5afe4918fb19c4aa89beb8cfc91874eabf27634185a7a4ed46a66a7b9
Instruction Fuzzy Hash: E7E0687390A392CFCB5225A888045DA7B20E702170B2806D7C454C71E2F716442A83E1

Uniqueness

Uniqueness Score: -1.00%

Function 06EB0F40 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f9fc3c59b594a2b024bd449538b14a9078e86712f81b5a1ac0416218bca653
Instruction ID: 27cae788f2fc618d116e5fdfd213623ce5f1e90f790d32571977fa3f0c8e59ae
Opcode Fuzzy Hash: d1f9fc3c59b594a2b024bd449538b14a9078e86712f81b5a1ac0416218bca653
Instruction Fuzzy Hash: D9E09235300300CFC7019B68E448A5937A1EF45615B1900F9E009CF6B2D675EC42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06EB52D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecd0626f9d352d093c41d565e4f52621aa2847556a0289f7b7a84e385f37875
Instruction ID: 4fce42aa4182e83d83fea5f51d92fc6e1e43e7e3795aee1091a220dbd2821f5e
Opcode Fuzzy Hash: 2ecd0626f9d352d093c41d565e4f52621aa2847556a0289f7b7a84e385f37875
Instruction Fuzzy Hash: A7E0DF3400A7905EC306EB20D9914D62B72AA833243899CD5E0444F9ABD728861AC3E2

Uniqueness

Uniqueness Score: -1.00%

Function 06EBE608 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede8d1d9650bb538fc9d95c2c0ed54559407cadd131198bb40c01f24c0068418
Instruction ID: c4c92df404b888d41151a558eec1bf184d7d3ed63b00d01126f38d5fca7bddf5
Opcode Fuzzy Hash: ede8d1d9650bb538fc9d95c2c0ed54559407cadd131198bb40c01f24c0068418
Instruction Fuzzy Hash: BFE09A70C00318CBC744AFAAC8855FBBAF8FB49680B40653EE929A3204C3706800CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 06EBDA9D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64897122a281eb860e409de09ab639f420cc0cefaf8e940adde16863bd45dea6
Instruction ID: 341caa00f044f04242f75abfb76204ce6ff406f0f23bd2f24c032930dbecbe24
Opcode Fuzzy Hash: 64897122a281eb860e409de09ab639f420cc0cefaf8e940adde16863bd45dea6
Instruction Fuzzy Hash: AEE092B0D44219DFDB80EFA9C904B9FBFF1AF08200F2195A9D019E7621E77486058F90

Uniqueness

Uniqueness Score: -1.00%

Function 06EBDAA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0833fcf796c2307e7d7bf1c8dea72725165321199d59229ec83a0721b4be4434
Instruction ID: afef4a57a048f72eb368df0da8b7cd8c881ed041d17fc9014040954cdf9a00cc
Opcode Fuzzy Hash: 0833fcf796c2307e7d7bf1c8dea72725165321199d59229ec83a0721b4be4434
Instruction Fuzzy Hash: C0E0B6B0D44209DFD780EFB9C905B9FBBF1BF08200F1195A9D019E7221E7B496048F91

Uniqueness

Uniqueness Score: -1.00%

Function 06EB52E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a25429e740ea501873324a97c3d87961468aaa03b4b8bea630d1b0bae6f277
Instruction ID: 664632772a8db6e053a8da399109ac75bf548bd54b07c358135c09e750500416
Opcode Fuzzy Hash: b5a25429e740ea501873324a97c3d87961468aaa03b4b8bea630d1b0bae6f277
Instruction Fuzzy Hash: 97C012341146048ECB44BB71E585455336BABC26483C0CC20D1090D96DDF74591957E5

Uniqueness

Uniqueness Score: -1.00%

Function 06EBB9D0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3865a11e44afe3aaa6718f90550cf8a9f954e2ff1077455a44a4bc4f13b98253
Instruction ID: 5097acf838f321b9054a8dd3f9f458c82868bfe4784aa0cec587d905d0ac97b1
Opcode Fuzzy Hash: 3865a11e44afe3aaa6718f90550cf8a9f954e2ff1077455a44a4bc4f13b98253
Instruction Fuzzy Hash: B7C09B3E109115EFB781B750D545CD7B6A6FF55704B40FC51E14455530CB31D92C9753

Uniqueness

Uniqueness Score: -1.00%

Function 06EBC899 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.275038566.0000000006EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6eb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e79d211a95a184aa86edfbbf2b7d488341e821a77af9e2b925abbc541e4d717
Instruction ID: b3e39a229ea5c604045d553308dfcd6f0e22cc5ba73f8a4f8ce2c74d9335c119
Opcode Fuzzy Hash: 8e79d211a95a184aa86edfbbf2b7d488341e821a77af9e2b925abbc541e4d717
Instruction Fuzzy Hash: 79A0113A000000AEAB822B00880BC82BBA2FB20208300E0A0E0800A0308A22A028AB02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04690B80 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

~z, xrefs: 04690CFF
svI, xrefs: 04690D67

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: svI$~z
API String ID: 0-2741777694
Opcode ID: 926b2b875669deb1c795c0e72bf99fb14023f3eb3df3b0b69458acb6135e4803
Instruction ID: d6e5109722eebc166a06b312c252372064ab57ab57327c1d65c10af20d9f6220
Opcode Fuzzy Hash: 926b2b875669deb1c795c0e72bf99fb14023f3eb3df3b0b69458acb6135e4803
Instruction Fuzzy Hash: 8D711574E192098FDF04CFA9D5505AEBBF2AF89310F10942AD415F7358EB786A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 04690B90 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

~z, xrefs: 04690CFF
svI, xrefs: 04690D67

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: svI$~z
API String ID: 0-2741777694
Opcode ID: 5bbfb3b80b2734af314f00bb614e5e1581d1d1925aa6dc00d2342385b3fdcbc7
Instruction ID: c050dc4c6ec88717458625603d65aca3d22df0785ddc11310a85e83097b08c0a
Opcode Fuzzy Hash: 5bbfb3b80b2734af314f00bb614e5e1581d1d1925aa6dc00d2342385b3fdcbc7
Instruction Fuzzy Hash: 87712674E1920A8FDF04CFA9D5405AEBBF6EF89300F10942AD015B7258EB74AA428F94

Uniqueness

Uniqueness Score: -1.00%

Function 04694E98 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e340475c1b7fe856849785da6c642be2cc423c26831f5453a52a26f1b14bca
Instruction ID: 0bdc44374e6484cac78281a2a9187cf19b51876aea536588a3f5972e9a67d812
Opcode Fuzzy Hash: 46e340475c1b7fe856849785da6c642be2cc423c26831f5453a52a26f1b14bca
Instruction Fuzzy Hash: 2BE1AC727006109FEB2AEB75C86076E77EAAF89304F14446DD1468B391EF75ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0264E680 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28ad58e8f443f7a552eeb437fb365f4f4a1548927ca32a1299d9891166178a0
Instruction ID: 6b918ec6a3b8a3fd6054d4fff0610a563ad216c4f9896cb46e5a7a44765ed7f5
Opcode Fuzzy Hash: e28ad58e8f443f7a552eeb437fb365f4f4a1548927ca32a1299d9891166178a0
Instruction Fuzzy Hash: 4412E5F1D937668BE718CF65E8881893BA0B745328FD04A09D2619FBD0DBB8116ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 0264C374 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7db1540acfd1927a9001db294b6c7307f400c8e2a29f477851b3500c6a22d7
Instruction ID: 809fde0fb9d365601f7cd3d0465da68c04efc35b08d5b3200e7e1dcf99c6e92d
Opcode Fuzzy Hash: df7db1540acfd1927a9001db294b6c7307f400c8e2a29f477851b3500c6a22d7
Instruction Fuzzy Hash: 81A16732E00219CFCF05DFA5C8445AEBBB2FF85304B15856AE905AB321EF74A955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0264E671 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.265847190.0000000002640000.00000040.00000800.00020000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2640000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b654a9a7f8227a91170bdceb15c3ac79e6eec0503071cae46a123d87902eb4a
Instruction ID: 9198de8375884d36b72b776cac4a698a2be8d565ae3fde63cc232cd4c23cd175
Opcode Fuzzy Hash: 8b654a9a7f8227a91170bdceb15c3ac79e6eec0503071cae46a123d87902eb4a
Instruction Fuzzy Hash: F1C148F1D927268BD718DF65E8881893BB0BB85328FD14A09D261AF7D0DFB4116ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 04695C8F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772d08d794f84fc7928988b375511ba29503a381eb0e8c822461a69a520f1799
Instruction ID: 60f95d1dfdc5171ab0b2125dcbca5ed3e1ab22af5a8041c93125f1eb3c45955b
Opcode Fuzzy Hash: 772d08d794f84fc7928988b375511ba29503a381eb0e8c822461a69a520f1799
Instruction Fuzzy Hash: FF11A072D05218EFDF059F64C848BEDBBF0AB0A300F14502AD41173290E7B89A45DB68

Uniqueness

Uniqueness Score: -1.00%

Function 04695CA0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.271175421.0000000004690000.00000040.00000800.00020000.00000000.sdmp, Offset: 04690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866db9b5ed1e2e56a626642b754f699ce82a5782101058758a1c6dc554244310
Instruction ID: 99a45041d3e8202ff1b19d238cc254ca69618658a332b7014b0332f9045e8c01
Opcode Fuzzy Hash: 866db9b5ed1e2e56a626642b754f699ce82a5782101058758a1c6dc554244310
Instruction Fuzzy Hash: 10115A71D04258DFDF059FA9C4087EDBBF5AB4E300F18906AD412B3290EBB49944DB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AppLaunch.exePID: 60, Parent PID: 5640COMMON

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.8%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Executed Functions

Function 058B07B8 Relevance: 6.2, APIs: 4, Instructions: 232
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 058B07EB
KiUserExceptionDispatcher.NTDLL ref: 058B0A22

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 9f4e342075c3fef183d99c965f33cc86967b63857cb67bcbbf58c33d4fe7f983
Instruction ID: 676bb70419238a8288c9c44b93cee7148c2363e537ef71f42fcca12657ef8a52
Opcode Fuzzy Hash: 9f4e342075c3fef183d99c965f33cc86967b63857cb67bcbbf58c33d4fe7f983
Instruction Fuzzy Hash: C7912C30725118CFD728EB34E46556EB3A3EBC820835485ADD50BCB365EF78AE428B95

Uniqueness

Uniqueness Score: -1.00%

Function 058B07A8 Relevance: 6.2, APIs: 4, Instructions: 239
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 058B07EB
KiUserExceptionDispatcher.NTDLL ref: 058B0A22

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 754117163dd24029740a357d1c3e2116f72edaeb2958f2c9c83d65dfa9538d1e
Instruction ID: bf52b94667ea53496881918ed2c09471917e3eaf58186a5c2be166303ee12c18
Opcode Fuzzy Hash: 754117163dd24029740a357d1c3e2116f72edaeb2958f2c9c83d65dfa9538d1e
Instruction Fuzzy Hash: 3A914D30725118CFD728EB34E46656EB3A2EBC820836485ADD40BCB365EF789D42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 058B0881 Relevance: 4.7, APIs: 3, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 058B0A22

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 60b33d14e8274a0a72d9d875f67794658ee77b02fb7215aefd41ec755162b1c6
Instruction ID: 7a74907a4ff35956243caac0cd6aa081e2a98e0c0ccd41ba5cba13b8bc63270c
Opcode Fuzzy Hash: 60b33d14e8274a0a72d9d875f67794658ee77b02fb7215aefd41ec755162b1c6
Instruction Fuzzy Hash: 67516030725118CFA724EB34F46612FB7A3EBC82083649569D40BDB355EF789E428BD5

Uniqueness

Uniqueness Score: -1.00%

Function 058B09EA Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 058B0A22
KiUserExceptionDispatcher.NTDLL ref: 058B0A49
KiUserExceptionDispatcher.NTDLL ref: 058B0A70

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 559ca43062882ba703af338d2fec6691e3b96d6a29fca6cbc41f6306c5a9ce50
Instruction ID: 0be2886e20f58f17618a08a293f5c585bb65cec9b75b39a5dc6a991370258e24
Opcode Fuzzy Hash: 559ca43062882ba703af338d2fec6691e3b96d6a29fca6cbc41f6306c5a9ce50
Instruction Fuzzy Hash: A1315C34725108CFEB24EF34F4295AEB776EB8420835489A9D90BC7361EF789D418F95

Uniqueness

Uniqueness Score: -1.00%

Function 058B0A14 Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 058B0A22
KiUserExceptionDispatcher.NTDLL ref: 058B0A49
KiUserExceptionDispatcher.NTDLL ref: 058B0A70

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c0e1c0d886c7a22f9346d4110305217a1285cca5e837ac6da0a689ad658341e7
Instruction ID: 1e01e4f6e949e89a3886b8c718caf0ffe2feabcf1e432c0197a50b05075c333f
Opcode Fuzzy Hash: c0e1c0d886c7a22f9346d4110305217a1285cca5e837ac6da0a689ad658341e7
Instruction Fuzzy Hash: E1216B30725108CFAB24EF34F4295AAB776EB8820875049A9D90BC7361EF789D418F95

Uniqueness

Uniqueness Score: -1.00%

Function 058B0A3E Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 058B0A49
KiUserExceptionDispatcher.NTDLL ref: 058B0A70

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0b0533ded6e1ce2fbade43727d7a5a010957f0d43eee4c3af5f2736168a65849
Instruction ID: 508378d3755420f7c5014d9f4b5f4774c3a37c83797e2b5aeee7dd634b0e9eef
Opcode Fuzzy Hash: 0b0533ded6e1ce2fbade43727d7a5a010957f0d43eee4c3af5f2736168a65849
Instruction Fuzzy Hash: 3F215C30325108CFAB24EB74F42956AB776EB8830D75045A9D90BC7361EF789D42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 058B3F1C Relevance: 1.6, APIs: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 058B400F

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cd377b1ab4f5f064e69ce67ca1047b03ff5e281a537f2f4435c4f1f427b37fbd
Instruction ID: 338ce8408a5161af34f1b66d99d572c6eb9b10539e3b6707050fa995dbd9f821
Opcode Fuzzy Hash: cd377b1ab4f5f064e69ce67ca1047b03ff5e281a537f2f4435c4f1f427b37fbd
Instruction Fuzzy Hash: CF4149B0E002099FEB10CFA9C8857DDBBF6BB48314F148529D815EB751D7B49886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 058B1584 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 058B400F

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 61c8c10ee84aefb418be1be6a1f86ff925009d4f8f0750587d6c7953622f85ba
Instruction ID: 197808007c340b9e8bb5afc2303f30200209cd92c72c3bb63b480e283a62f166
Opcode Fuzzy Hash: 61c8c10ee84aefb418be1be6a1f86ff925009d4f8f0750587d6c7953622f85ba
Instruction Fuzzy Hash: 71414970E046099FEB10CFA9C8857DEBBF6FB48304F148529E815EB751DBB49846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 058B0A65 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 058B0A70

Memory Dump Source

Source File: 00000006.00000002.277272658.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_58b0000_AppLaunch.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aaa648baf7dbf3db5d1732717412d8736febfe541e11a39f330a730159ece7ae
Instruction ID: 8ece6d82b442b6b8011e402ed983f4cfee81c6e86e0bcc5a9146c27dcf4a23a7
Opcode Fuzzy Hash: aaa648baf7dbf3db5d1732717412d8736febfe541e11a39f330a730159ece7ae
Instruction Fuzzy Hash: 4B115C30325108CFAB24EB74F46956AB776EB8830D75045A9D90BC7361EF789D42CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetectNet.01.18072.21111

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.18072.21111

Function 0264B8D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 0264B8C0 Relevance: 6.1, APIs: 4, Instructions: 119
threadCOMMON

Function 026498D0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 0469283C Relevance: 1.6, APIs: 1, Instructions: 146
processCOMMON

Function 04692848 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Function 0264FDEC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Function 0264FDF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 06EF26EA Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 06EF26EC Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 06EF3D40 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 04692F00 Relevance: 1.6, APIs: 1, Instructions: 68
injectionCOMMON

Function 04692F08 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Function 0264BAF1 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0264BAF8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 04692BB0 Relevance: 1.6, APIs: 1, Instructions: 60
threadinjectionCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre