Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Analysis ID:	1552474
MD5:	d259c61b387fcd39b3ab83dd9ee1fc26
SHA1:	e53aea122c350a2e569dfaa587cfe5af6c3fb0a4
SHA256:	616ed7e97dd87be83b59ad3fa6df8285f35b62dbe913e8d73b1ea798a6021261
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe" MD5: D259C61B387FCD39B3AB83DD9EE1FC26)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T20:31:00.054930+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49738	TCP
2024-11-08T20:31:38.248695+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49744	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

ReversingLabs: Detection: 28%

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb+T source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source:	Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Code function: 4x nop then lea ecx, dword ptr [ebp-000000BCh]

0_2_09319F11

Source: global traffic

HTTP traffic detected: GET /public/F_list.ini HTTP/1.1Host: 159.100.29.29Connection: Keep-Alive

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49744

Source: unknown	TCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknown	TCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknown	TCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknown	TCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 80.78.246.154
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.29.29

Source: global traffic

HTTP traffic detected: GET /public/F_list.ini HTTP/1.1Host: 159.100.29.29Connection: Keep-Alive

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.100.29.29
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.100.29.29/public/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.000000000302D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.100.29.29/public/F_list.ini
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003034000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.100.29.29/public/F_list.iniP
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.100.29.29d
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://80.78.246.154
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://80.78.246.154/public/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	String found in binary or memory: http://80.78.246.154/public/9http://159.100.29.29/public/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://80.78.246.154/public/F_list.ini
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://80.78.246.154/public/F_list.iniP
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507226515.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_05400C88	0_2_05400C88
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_05401A40	0_2_05401A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_05401A50	0_2_05401A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_077084D1	0_2_077084D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_07704354	0_2_07704354
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_093188F0	0_2_093188F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931B5D0	0_2_0931B5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_09319688	0_2_09319688
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_093188E0	0_2_093188E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931B3F0	0_2_0931B3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931B5C0	0_2_0931B5C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931D478	0_2_0931D478
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931D469	0_2_0931D469
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931C790	0_2_0931C790
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_0931C781	0_2_0931C781
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Code function: 0_2_09319679	0_2_09319679

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000000.1644516326.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePlugMan.exe0 vs SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3505566845.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Binary or memory string: OriginalFilenamePlugMan.exe0 vs SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Source: classification engine

Classification label: mal48.winEXE@1/2@0/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

File created: C:\Users\user\AppData\Roaming\BimStep

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Mutant created: NULL

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

File read: C:\Users\user\Desktop\Flistnew.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

File written: C:\Users\user\Desktop\Flistnew.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb+T source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Source:	Binary string: \PlugMan\PlugMan\obj\Debug\PlugMan.pdb source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: 0xFF0CC677 [Thu Aug 6 18:41:59 2105 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Code function: 0_2_07702520 push esp; iretd

0_2_07702521

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Static PE information: section name: .text entropy: 7.458103899462974

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe TID: 7580	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3505803421.0000000001393000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	29%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://80.78.246.154/public/	0%	Avira URL Cloud	safe
http://80.78.246.154/public/F_list.iniP	0%	Avira URL Cloud	safe
http://159.100.29.29/public/F_list.iniP	0%	Avira URL Cloud	safe
http://80.78.246.154/public/9http://159.100.29.29/public/	0%	Avira URL Cloud	safe
http://159.100.29.29/public/	0%	Avira URL Cloud	safe
http://80.78.246.154	0%	Avira URL Cloud	safe
http://159.100.29.29d	0%	Avira URL Cloud	safe
http://159.100.29.29/public/F_list.ini	0%	Avira URL Cloud	safe
http://80.78.246.154/public/F_list.ini	0%	Avira URL Cloud	safe
http://159.100.29.29	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://159.100.29.29/public/F_list.ini	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://80.78.246.154/public/9http://159.100.29.29/public/	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://80.78.246.154/public/	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://159.100.29.29/public/	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://80.78.246.154/public/F_list.iniP	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://80.78.246.154	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://159.100.29.29	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003034000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://159.100.29.29/public/F_list.iniP	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003034000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003044000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://80.78.246.154/public/F_list.ini	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://159.100.29.29d	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000003044000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3506173187.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507244356.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe, 00000000.00000002.3507226515.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.78.246.154	unknown	Russian Federation		43146	AGAVA3RU	false
159.100.29.29	unknown	Germany		203833	AT-FIRSTCOLOAustriaAT	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552474
Start date and time:	2024-11-08 20:29:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Detection:	MAL
Classification:	mal48.winEXE@1/2@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 44 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AGAVA3RU	http://puzzlewood.net	Get hash	malicious	Unknown	Browse	89.108.119.28
	yakov.mips.elf	Get hash	malicious	Mirai	Browse	89.108.102.237
	http://www.goo.su/c1Rnox/	Get hash	malicious	Unknown	Browse	89.108.119.43
	https://dolshepsi.ru/assets/images/dh/GlobalSources/index.php/	Get hash	malicious	HTMLPhisher	Browse	89.108.85.64
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	89.108.119.28
	http://www.goo.su/fJu2F/	Get hash	malicious	Unknown	Browse	89.108.120.68
	http://vidaliaonion.org	Get hash	malicious	Unknown	Browse	89.108.120.76
	http://stream.crichd.vip/update/sscricket.php	Get hash	malicious	Unknown	Browse	89.108.119.43
	https://lenta.ru/articles/2023/01/13/darkpr/	Get hash	malicious	HTMLPhisher	Browse	89.108.120.68
AT-FIRSTCOLOAustriaAT	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	YIztve8dU8.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	fSLSu3PQPC.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	3kMnPQIVHR.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	F4ged15cJ3.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	cZlRw8OG35.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	j0GmmzdQRz.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	VWpmyBcWBO.elf	Get hash	malicious	Mirai	Browse	79.133.46.243
	KBW66LEndt.elf	Get hash	malicious	Mirai	Browse	79.133.46.243

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\BimStep\Settings.cfg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.2359263506290334
Encrypted:	false
SSDEEP:	3:Bcn:+
MD5:	5EFAD9751B81AC353C2774A58A0BE0FD
SHA1:	D5D6BFFDFA7D7B10B37AB8A099A3BAC6DCFA8684
SHA-256:	52F0327ECD5E40CF50C393FB2D09C7CA0B5CC2E4B757A26CDD02CA4258A1DFEF
SHA-512:	FC21C7726E766B808A3F5746ACD281D00C473177857BF18B5463926505472E9AE62CCE5D25E95396501B89521454AD8DD184458E320974C4421EF8E2DF9D186F
Malicious:	false
Reputation:	low
Preview:	Language..RU..

C:\Users\user\Desktop\Flistnew.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	4217
Entropy (8bit):	5.5869798989771
Encrypted:	false
SSDEEP:	48:80jgj03zxAoqOOVU/Mg1jg1VZjeBtoMJNt3sqwAv/0dWgr8LJ8ZiK9KoKyparIBH:ZjqXrVUnMVZjXEL8zoMIWqCtEoEQH
MD5:	CCAFD2665104854C6AFB571B8D316E63
SHA1:	A38B4976E9A22389A92B9E675028CDD1946089F1
SHA-256:	30C48CF527D489A327957FC342D6931F517B72F6A2A05D86D06D176EF1994E2D
SHA-512:	763B41910B8A8D48458DD05B0C5309D25AF572D979B1C78913F4E439EB401826F88463F238E987C0B286E8965FB7E0FCF2B6B1ABE0B85C6A2677AA1C4E26B57E
Malicious:	false
Reputation:	low
Preview:	.[Section].Name=PlugMan.Description="........ ........".Date=04.10.2023 12:00.Version=.[File].URL=Plugman/PlugMan.exe.Name=PlugMan.exe.Path=..[Section].Name=BimStep_...Description="............. .......".Date=29.10.2024 14:00.Version=2019,2020,2021,2022,2023,2024,2025.HistoryURL=BimStep_...txt.[File].URL=%Version%/BimStep_../BimStep_...addin.Name=BimStep_...addin.Path=%AppData%\Autodesk\Revit\Addins\%Version%.[File].URL=%Version%/BimStep_../BimStep_...dll.Name=BimStep_...dll.Path=%AppData%\Autodesk\Revit\Addins\%Version%..[Section].Name=BimStep_....Description=".......... ............ . ....".Date=01.10.2024 13:00.Version=2019,2020,2021,2022,2023,2024,2025.HistoryURL=BimStep_....txt.[File].URL=%Version%/BimStep_.../BimStep_....addin.Name=BimStep_....addin.Path=%AppData%\Autodesk\Revit\Addins\%Version%.[File].URL=%Version%/BimStep_.../BimStep_....dll.Name=BimStep_....dll.Path=%AppD

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.43497282842813
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
File size:	278'528 bytes
MD5:	d259c61b387fcd39b3ab83dd9ee1fc26
SHA1:	e53aea122c350a2e569dfaa587cfe5af6c3fb0a4
SHA256:	616ed7e97dd87be83b59ad3fa6df8285f35b62dbe913e8d73b1ea798a6021261
SHA512:	c861ad697fc9b76d0cabb9cc0411523f2bd0ccffd0b381217b49eb28fbd0af9f4fb6417ee4998556befde590fc092294ea68398fe61f5a30b3bb68dc44629bc0
SSDEEP:	6144:15eNsZqK0jLVDdlqIcGFJsVgLbZOvoHizVKoSi2MGGf:DMscNdq8CmZWoHoVFSi2MG
TLSH:	DE44CF063660CE5EEFFD03F1D8E526D213AC881AC615E25FBDF238A979B97804604D67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w............."...0..6..........VT... ...`....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x445456
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFF0CC677 [Thu Aug 6 18:41:59 2105 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x45403	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x45364	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4345c	0x43600	8374dec81e1e40c2bd1ae14172aad4ef	False	0.6088713184137291	data	7.458103899462974	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x59c	0x600	51dab4d518e89fe237ea8853abb2ea72	False	0.4108072916666667	data	4.0542235385711605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xc	0x200	d1a6f9453fa95b027d3c98aec16b7030	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x46090	0x30c	data			0.4230769230769231
RT_MANIFEST	0x463ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-08T20:31:00.054930+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49738	TCP
2024-11-08T20:31:38.248695+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49744	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 20:30:41.680810928 CET	49732	80	192.168.2.4	80.78.246.154
Nov 8, 2024 20:30:41.685853004 CET	80	49732	80.78.246.154	192.168.2.4
Nov 8, 2024 20:30:41.685981989 CET	49732	80	192.168.2.4	80.78.246.154
Nov 8, 2024 20:30:41.686608076 CET	49732	80	192.168.2.4	80.78.246.154
Nov 8, 2024 20:30:41.691418886 CET	80	49732	80.78.246.154	192.168.2.4
Nov 8, 2024 20:30:42.254442930 CET	49732	80	192.168.2.4	80.78.246.154
Nov 8, 2024 20:30:42.263046980 CET	49733	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.268131971 CET	80	49733	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:42.268224001 CET	49733	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.271281004 CET	49733	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.276129007 CET	80	49733	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:42.306770086 CET	80	49732	80.78.246.154	192.168.2.4
Nov 8, 2024 20:30:42.309967995 CET	80	49732	80.78.246.154	192.168.2.4
Nov 8, 2024 20:30:42.310019970 CET	49732	80	192.168.2.4	80.78.246.154
Nov 8, 2024 20:30:42.769515991 CET	49733	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.772847891 CET	49734	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.778800011 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:42.778938055 CET	49734	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.779027939 CET	49734	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:42.783988953 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:42.814668894 CET	80	49733	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:42.869220972 CET	80	49733	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:42.869327068 CET	49733	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:43.695795059 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:43.695815086 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:43.695827007 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:43.695842981 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:43.695857048 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:43.695995092 CET	49734	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:43.695996046 CET	49734	80	192.168.2.4	159.100.29.29
Nov 8, 2024 20:30:48.818382978 CET	80	49734	159.100.29.29	192.168.2.4
Nov 8, 2024 20:30:48.818454027 CET	49734	80	192.168.2.4	159.100.29.29

HTTP Request Dependency Graph

159.100.29.29

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	80.78.246.154	80	7404	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 20:30:41.686608076 CET	81	OUT	HEAD /public/F_list.ini HTTP/1.1 Host: 80.78.246.154 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	159.100.29.29	80	7404	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 20:30:42.271281004 CET	81	OUT	HEAD /public/F_list.ini HTTP/1.1 Host: 159.100.29.29 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	159.100.29.29	80	7404	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 20:30:42.779027939 CET	80	OUT	GET /public/F_list.ini HTTP/1.1 Host: 159.100.29.29 Connection: Keep-Alive
Nov 8, 2024 20:30:43.695795059 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 19:30:43 GMT Server: Apache/2.4.37 (centos) Last-Modified: Fri, 08 Nov 2024 12:22:25 GMT ETag: "1079-62665cdb4e240" Accept-Ranges: bytes Content-Length: 4217 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: ef bb bf 5b 53 65 63 74 69 6f 6e 5d 0a 4e 61 6d 65 3d 50 6c 75 67 4d 61 6e 0a 44 65 73 63 72 69 70 74 69 6f 6e 3d 22 d0 9c d0 b5 d0 bd d0 b5 d0 b4 d0 b6 d0 b5 d1 80 20 d0 bf d0 bb d0 b0 d0 b3 d0 b8 d0 bd d0 be d0 b2 22 0a 44 61 74 65 3d 30 34 2e 31 30 2e 32 30 32 33 20 31 32 3a 30 30 0a 56 65 72 73 69 6f 6e 3d 2a 0a 5b 46 69 6c 65 5d 0a 55 52 4c 3d 50 6c 75 67 6d 61 6e 2f 50 6c 75 67 4d 61 6e 2e 65 78 65 0a 4e 61 6d 65 3d 50 6c 75 67 4d 61 6e 2e 65 78 65 0a 50 61 74 68 3d 2a 0a 0a 5b 53 65 63 74 69 6f 6e 5d 0a 4e 61 6d 65 3d 42 69 6d 53 74 65 70 5f d0 90 d0 a0 0a 44 65 73 63 72 69 70 74 69 6f 6e 3d 22 d0 90 d1 80 d1 85 d0 b8 d1 82 d0 b5 d0 ba d1 82 d1 83 d1 80 d0 bd d1 8b d0 b5 20 d1 80 d0 b5 d1 88 d0 b5 d0 bd d0 b8 d1 8f 22 0a 44 61 74 65 3d 32 39 2e 31 30 2e 32 30 32 34 20 31 34 3a 30 30 0a 56 65 72 73 69 6f 6e 3d 32 30 31 39 2c 32 30 32 30 2c 32 30 32 31 2c 32 30 32 32 2c 32 30 32 33 2c 32 30 32 34 2c 32 30 32 35 0a 48 69 73 74 6f 72 79 55 52 4c 3d 42 69 6d 53 74 65 70 5f d0 90 d0 a0 2e 74 78 74 [TRUNCATED] Data Ascii: [Section]Name=PlugManDescription=" "Date=04.10.2023 12:00Version=[File]URL=Plugman/PlugMan.exeName=PlugMan.exePath=[Section]Name=BimStep_Description=" "Date=29.10.2024 14:00Version=2019,2020,2021,2022,2023,2024,2025HistoryURL=BimStep_.txt[File]URL=%Version%/BimStep_/BimStep_.addinName=BimStep_.addinPath=%AppData%\Autodesk\Revit\Addins\%Version%[File]URL=%Version%/BimStep_/BimStep_.dllName=BimStep_.dllPath=%AppData%\Autodesk\Revit\Addins\%Version%[Section]Name=BimStep_Description=" "Date=01.10.2024 13:00Version=2019,2020,2021,2022,2023,2024,2025HistoryURL=BimStep_.txt[File]URL=%Version%/BimStep_/BimStep_.addinName=BimStep_.addinPath=%AppData%\Autodesk\Revit\Addins\%Version%[File]URL=%Version%/BimStep_/BimStep_.dllName=Bim
Nov 8, 2024 20:30:43.695815086 CET	1236	IN	Data Raw: 53 74 65 70 5f d0 98 d0 bd d0 b6 2e 64 6c 6c 0a 50 61 74 68 3d 25 41 70 70 44 61 74 61 25 5c 41 75 74 6f 64 65 73 6b 5c 52 65 76 69 74 5c 41 64 64 69 6e 73 5c 25 56 65 72 73 69 6f 6e 25 0a 0a 5b 53 65 63 74 69 6f 6e 5d 0a 4e 61 6d 65 3d 42 69 6d Data Ascii: Step_.dllPath=%AppData%\Autodesk\Revit\Addins\%Version%[Section]Name=BimStep_Description=" "Date=08.10.2024 12:00Version=2019,2020,2021,2022,2023,2024,2025HistoryURL=BimStep_.txt[File]
Nov 8, 2024 20:30:43.695827007 CET	424	IN	Data Raw: 6e 25 2f 42 69 6d 53 74 65 70 5f d0 9a d0 a0 2f 42 69 6d 53 74 65 70 5f d0 9a d0 a0 2e 64 6c 6c 0a 4e 61 6d 65 3d 42 69 6d 53 74 65 70 5f d0 9a d0 a0 2e 64 6c 6c 0a 50 61 74 68 3d 25 41 70 70 44 61 74 61 25 5c 41 75 74 6f 64 65 73 6b 5c 52 65 76 Data Ascii: n%/BimStep_/BimStep_.dllName=BimStep_.dllPath=%AppData%\Autodesk\Revit\Addins\%Version%[Section]Name=BimStep_Description=""Date=10.09.2024 12:00Version=2019,2020,2021,2022,2023,2024,2025HistoryURL=B
Nov 8, 2024 20:30:43.695842981 CET	1236	IN	Data Raw: d0 b2 2f 42 69 6d 53 74 65 70 5f d0 9e d1 82 d0 b2 2e 64 6c 6c 0a 4e 61 6d 65 3d 42 69 6d 53 74 65 70 5f d0 9e d1 82 d0 b2 2e 64 6c 6c 0a 50 61 74 68 3d 25 41 70 70 44 61 74 61 25 5c 41 75 74 6f 64 65 73 6b 5c 52 65 76 69 74 5c 41 64 64 69 6e 73 Data Ascii: /BimStep_.dllName=BimStep_.dllPath=%AppData%\Autodesk\Revit\Addins\%Version%[Section]Name=BimStep_AdminDescription=""Date=26.10.2022 14:00Version=2019,2020,2021,2022,2023,2024HistoryURL=BimStep_Admin.txt[File]
Nov 8, 2024 20:30:43.695857048 CET	347	IN	Data Raw: 61 74 61 25 5c 41 75 74 6f 64 65 73 6b 5c 52 65 76 69 74 5c 41 64 64 69 6e 73 5c 25 56 65 72 73 69 6f 6e 25 0a 0a 5b 53 65 63 74 69 6f 6e 5d 0a 4e 61 6d 65 3d 42 69 6d 53 74 65 70 43 6c 61 73 68 0a 44 65 73 63 72 69 70 74 69 6f 6e 3d 22 42 69 6d Data Ascii: ata%\Autodesk\Revit\Addins\%Version%[Section]Name=BimStepClashDescription="BimStepClash"Date=02.08.2024 12:00Version=2019,2020,2021,2022,2023,2024,2025HistoryURL=BimStepClash.txt[File]URL=%Version%/BimStepClash/BimStepClash.dllName=B

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exePID: 7404, Parent PID: 2580

General

Target ID:	0
Start time:	14:30:39
Start date:	08/11/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe"
Imagebase:	0xb20000
File size:	278'528 bytes
MD5 hash:	D259C61B387FCD39B3AB83DD9EE1FC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exePID: 7404, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	99.4%
Signature Coverage:	0%
Total number of Nodes:	663
Total number of Limit Nodes:	26

Executed Functions

Function 077084D1 Relevance: 5.4, Strings: 4, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(t2, xrefs: 077085BE
(t2, xrefs: 07708870
(t2, xrefs: 077085B2
(t2, xrefs: 07708864

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (t2$(t2$(t2$(t2
API String ID: 0-3677074101
Opcode ID: b1d1c056de12bec1fc2d2803937cd77d9e8eac9f07565d84069087c84ea6d28d
Instruction ID: b75b8226fe867a371d737a6d598d796207323028277d390e52724ace88026581
Opcode Fuzzy Hash: b1d1c056de12bec1fc2d2803937cd77d9e8eac9f07565d84069087c84ea6d28d
Instruction Fuzzy Hash: 88E160B0A10206CFDB14DFA9C848BADBBF1FF44344F158568E409AF2A5DB74E945CB82

Function 093188F0 Relevance: 4.1, Strings: 3, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 093189A4
PH^q, xrefs: 09318D8B
0oAp, xrefs: 09318BDD

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: fcq$0oAp$PH^q
API String ID: 0-3628400218
Opcode ID: d640165e85d8e6b95087897999ef5444acb903bd0857e6926d67f143f187a8b6
Instruction ID: 5dc9f0496bf159320e5caf64b97a268e7be03898857a4775066557229a6d2f43
Opcode Fuzzy Hash: d640165e85d8e6b95087897999ef5444acb903bd0857e6926d67f143f187a8b6
Instruction Fuzzy Hash: 7BE1C374E01218CFDB68DFA9D984B9DBBB2BF49300F1081AAD409AB365DB345E85CF54

Function 093188E0 Relevance: 4.0, Strings: 3, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 093189A4
PH^q, xrefs: 09318D8B
0oAp, xrefs: 09318BDD

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: fcq$0oAp$PH^q
API String ID: 0-3628400218
Opcode ID: ebc3f795504691110ba18274933a743f3a31847a53a71db6ca76df5df772c8e1
Instruction ID: 6cacd54900220f5790904cc6b32aff54d4304905966fc44055e9791c2919138d
Opcode Fuzzy Hash: ebc3f795504691110ba18274933a743f3a31847a53a71db6ca76df5df772c8e1
Instruction Fuzzy Hash: FEC1B074E00218CFDB58DFA9D984B9DBBF2BF89300F1080AAD409AB365DB345A85CF54

Function 0931B3F0 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0931B50C

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1f66063729b670ece835bf3d0294eb565da61d57394bafd51ac524fc702bfaa1
Instruction ID: fcdee3a0f167aeafd3bf71b13b86e9db5d1560082439fdc964f009d2410fcfc0
Opcode Fuzzy Hash: 1f66063729b670ece835bf3d0294eb565da61d57394bafd51ac524fc702bfaa1
Instruction Fuzzy Hash: 0861BEB5E012199FCB08CFAAD484AEDFBB2FF88301F14906AE415AB364DB349945CF50

Function 0931B5D0 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c5fdf2f8fbdbf778ac672ca9fdc1e4551f957a29be62b1d5332e41d6593889
Instruction ID: 40033e5c4bfe5878ba5279a22b594101937acb3b68ebf781d6a22c6a5481a373
Opcode Fuzzy Hash: 55c5fdf2f8fbdbf778ac672ca9fdc1e4551f957a29be62b1d5332e41d6593889
Instruction Fuzzy Hash: ACA2B274901229CFDB64DF68C984BD9BBB2BF49304F1491E9D448AB265DB31AEC5CF80

Function 09319688 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c96437f0c3a97385e7c88be3eca425abdb7f0b84fabcc1a0a64396733bfac8
Instruction ID: 8bc69124d159782c997e3926063b89e195150fc6cfc1900a47b2037960cc620b
Opcode Fuzzy Hash: 61c96437f0c3a97385e7c88be3eca425abdb7f0b84fabcc1a0a64396733bfac8
Instruction Fuzzy Hash: 4CF19474E012298FDB69DF65D998BDDB7B2BB89300F1081EAD80DA7260DB345E85CF50

Function 09319679 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d19f41676dbcdf7e6e3df358e958193ae9a125be86b1a4223c10412b8f9d031
Instruction ID: 5b55995dc0db4a26a7d432c245af19d616fa85b63a6e94aba0795c01af6f7fb0
Opcode Fuzzy Hash: 3d19f41676dbcdf7e6e3df358e958193ae9a125be86b1a4223c10412b8f9d031
Instruction Fuzzy Hash: C8719275E012298FDB68DF66D8947DDBBB2AF89300F1481EAD81DA7264DB305E81CF50

Function 05400A30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,03F260D8,02FBA194,?,00000000,?,00000000,00000000,?,00000000), ref: 05400BE7

Strings

Hbq, xrefs: 05400AD0

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Hbq
API String ID: 2492992576-1245868
Opcode ID: fc2b32d8d317ad9bf8e19014f0563e006674d2a82793ddef2a31a85bd97526b7
Instruction ID: 61a864cfff56ec1ed503f3f31b203cf46d96da97fd73325de084c8a7b0606880
Opcode Fuzzy Hash: fc2b32d8d317ad9bf8e19014f0563e006674d2a82793ddef2a31a85bd97526b7
Instruction Fuzzy Hash: 3E518F317046128FD718EF68C858B2E73EABFD4614F64806AE40ACB7A0CF74DD428B95

Function 015EC7D8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015ECA3E

Memory Dump Source

Source File: 00000000.00000002.3505872357.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 26341a54f97c5442eaaf6ec8844e5e7267d8d9a5ad3b1c3aa36aa547cdbcb0f6
Instruction ID: 01ab6b114cf466e30779a8b8d6bf710656510fbda2e15926647397528554f90b
Opcode Fuzzy Hash: 26341a54f97c5442eaaf6ec8844e5e7267d8d9a5ad3b1c3aa36aa547cdbcb0f6
Instruction Fuzzy Hash: E58133B0A00B058FD768DF69D55875ABBF1BF88310F008A2DD49ADBB50D774E949CB90

Function 05401660 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05403402

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4d76dd86e93988c1cf2ddafe09f29189ce510730f381ff1c6778e76fbdaac529
Instruction ID: 7733c414a662a705aadf3d25c695c7543e16c224266fcce1f24fae0f56e72e91
Opcode Fuzzy Hash: 4d76dd86e93988c1cf2ddafe09f29189ce510730f381ff1c6778e76fbdaac529
Instruction Fuzzy Hash: B151D0B1D003099FDB14CFAAC884ADEBFB5FF48310F24852AE819AB254D7759845CF91

Function 054032E5 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05403402

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 42fd306b6d7d970f80166c3c15cd1fb70e36abe20215094a54e34159ba318273
Instruction ID: cd388d1c8786ac0c914a2aadb731c24840315e6407e54a7b627d7f080fbc483c
Opcode Fuzzy Hash: 42fd306b6d7d970f80166c3c15cd1fb70e36abe20215094a54e34159ba318273
Instruction Fuzzy Hash: ED51EFB1D003189FDB14CFAAC884ADEBFB5FF48310F24852AE819AB250D7749845CF91

Function 054017B4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05405971

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c7b94e3984c82eca14fa77eb950f14a5348c3fee7f4c4094da88e05b505a4799
Instruction ID: 3e6a8c6c26646326c62cef4e7735e0b23bf6998eb1929989ca92d254485803c3
Opcode Fuzzy Hash: c7b94e3984c82eca14fa77eb950f14a5348c3fee7f4c4094da88e05b505a4799
Instruction Fuzzy Hash: AA411AB5900309CFDB14CF99C848AEABBF5FB88314F24C469D559AB361D774A841CFA0

Function 015E4648 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015E6B21

Memory Dump Source

Source File: 00000000.00000002.3505872357.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9e6a1a396b5bffd44e90c2600fc02fc229ce7d28d8e9db783997ce7f1c820fd9
Instruction ID: 096ef771026f3b91e86692d0e3ccd1482185f3f7e4b9be9e6a9ba4512792d067
Opcode Fuzzy Hash: 9e6a1a396b5bffd44e90c2600fc02fc229ce7d28d8e9db783997ce7f1c820fd9
Instruction Fuzzy Hash: 0741BFB0C0071DCADB28DFA9C848B9DBBF5BF58304F2484AAD409AB255DB756985CF90

Function 015E6A65 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015E6B21

Memory Dump Source

Source File: 00000000.00000002.3505872357.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f924fe0ff183fc13cfa018ba2eef783f84bc2bf068842ba0de6c1be21ef5c093
Instruction ID: 2aadd9f361d54beb350e0a6f5e66025f8eb7a47eb190fd9b12b62e3666b3f3a7
Opcode Fuzzy Hash: f924fe0ff183fc13cfa018ba2eef783f84bc2bf068842ba0de6c1be21ef5c093
Instruction Fuzzy Hash: F041DFB1C00719CEDB28CFA9C848B9DBBF5BF58304F2484AAD408AB255DB756946CF90

Function 077079B0 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07707A3D

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 52f1f27ad341d2ebcd1dc1859b16344b870fc647e662b662a106e0eae029e6f7
Instruction ID: 1ff88f7a244dc2f1ab42207df5681021d9620462ccf58d8052beda5fe4a77296
Opcode Fuzzy Hash: 52f1f27ad341d2ebcd1dc1859b16344b870fc647e662b662a106e0eae029e6f7
Instruction Fuzzy Hash: A9216AB18043499FDB14CFA9C845BDEFFF8AF49310F14849AD454A7252C339A554CFA5

Function 015EE380 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015EEC86,?,?,?,?,?), ref: 015EED47

Memory Dump Source

Source File: 00000000.00000002.3505872357.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2f3d38990d373f65c2cac98bc6a5d72509f427450c22048a48f589df4ca656c
Instruction ID: e2438ce3e10279a20d78728925697e43e1af97f6853e64a773b23689c7c6051b
Opcode Fuzzy Hash: e2f3d38990d373f65c2cac98bc6a5d72509f427450c22048a48f589df4ca656c
Instruction Fuzzy Hash: BE21D4B5D002589FDB10CF9AD585ADEBFF4FB48310F14841AE958A7310D375A954CFA4

Function 077021D8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 0770225C

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 277c92f55334e2e59f0e73a7c860607884b46fd60d59c1807ca4beeeaeac74b7
Instruction ID: 498c1fa6a2b60e4a44fccf8cd39d3aa68fb14777ac78d0744e4301c30e9a23e7
Opcode Fuzzy Hash: 277c92f55334e2e59f0e73a7c860607884b46fd60d59c1807ca4beeeaeac74b7
Instruction Fuzzy Hash: 022107B2901719DFDB10CFAAD884BDEFBF8FB48350F14842AE858A7251D375A544CBA4

Function 077021E0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 0770225C

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: d9f1e7e89b091f551cb30e9ce9cfdbb353bf52211fec8b325d87abcc9e7590e7
Instruction ID: 1734b6de0220c36d876529c8615d8f2d921abfc085866004658e82402f7f3336
Opcode Fuzzy Hash: d9f1e7e89b091f551cb30e9ce9cfdbb353bf52211fec8b325d87abcc9e7590e7
Instruction Fuzzy Hash: 182115B2901719DFDB10CFAAD884ADEFBF4FB48350F14842AE858A7241D374A944CBA4

Function 0931F9A9 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0931FA1A

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: a8bacecb614ae135c126dc896ccba43493a8ae47fe20eb119580b2c4c579f962
Instruction ID: d3b053a2db31f8b1e6894f484a1ab8c4ae0efc658447199e07b6812fe196edd8
Opcode Fuzzy Hash: a8bacecb614ae135c126dc896ccba43493a8ae47fe20eb119580b2c4c579f962
Instruction Fuzzy Hash: E71114B68006598FDB14CF9AC844BDEFBF4EB48320F14C02AE868B7250D738A545CFA5

Function 0931F9B0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0931FA1A

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ca527b396838a7f58e58b364d82f070e1af2cebcc5ef5dc0cf984199a436fefa
Instruction ID: 21a515eca9542d95aca1fccaecd8fe3d45f6fa53a4f947aac8437fe69aceec88
Opcode Fuzzy Hash: ca527b396838a7f58e58b364d82f070e1af2cebcc5ef5dc0cf984199a436fefa
Instruction Fuzzy Hash: 381123B68002598FDB14CF9AC444BDEFBF4EB88320F14C02AE868A7250D338A545CFA5

Function 077079E0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07707A3D

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bc1df42bb3c70f65fcbf8114fe8e7ab6938e88e686a7bba82817f463438ee06e
Instruction ID: 1ee880c8aae4dc3583f638440a86cac87e1bd5e4447df42d31c2a8974292b212
Opcode Fuzzy Hash: bc1df42bb3c70f65fcbf8114fe8e7ab6938e88e686a7bba82817f463438ee06e
Instruction Fuzzy Hash: 7C113AB1800309DFDB10CF9AC445BDEFBF8EB48360F108419E554A3250C378A544CFA5

Function 077011C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0770122D

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ba07842f88436589e33cdfaacd61274638660d5fea0b0ff6e503d1d87ea0509b
Instruction ID: a1fb11de551af5a77abcca1183e71a0bad1e20080f62868a360c9e28eccdcb27
Opcode Fuzzy Hash: ba07842f88436589e33cdfaacd61274638660d5fea0b0ff6e503d1d87ea0509b
Instruction Fuzzy Hash: 351122B5800318DFCB10DF9AD849BDEBBF8EB48320F108419E458A7210C375A580CFA4

Function 015EC9D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015ECA3E

Memory Dump Source

Source File: 00000000.00000002.3505872357.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15e0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3af3c42a4bf87d0f94d6d8fa7d0c7228e2004f900d2781f8d059d4690d105c0e
Instruction ID: 08b7cfa4ce57e9ea1bebb0b6c43d692c1ff5b7be567b7d9b5c3e64b6be255f59
Opcode Fuzzy Hash: 3af3c42a4bf87d0f94d6d8fa7d0c7228e2004f900d2781f8d059d4690d105c0e
Instruction Fuzzy Hash: BF11E3B5C003598FDB14CF9AD444ADEFBF4BB48314F10846AD569A7210C375A545CFA5

Function 0931B158 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,01606428,?,?,?,?,?,?,0931DA08,00000000,00000000,?), ref: 0931DB8D

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: d504132cadd5e4b72e6bd8eecda1028ee133d520ce3b005650f5a7ca49f54fa0
Instruction ID: 9bf2e8a25ccae509c10b37e983aa86ff0ba958fb4c7820ccc7b961435d454987
Opcode Fuzzy Hash: d504132cadd5e4b72e6bd8eecda1028ee133d520ce3b005650f5a7ca49f54fa0
Instruction Fuzzy Hash: E911F5B5800358DFDB10DF9AC445BDEBFF8EB48360F108419E569A7650C375A984CFA5

Function 0931DB29 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,01606428,?,?,?,?,?,?,0931DA08,00000000,00000000,?), ref: 0931DB8D

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 628edc3b149923b1e3913897ebc639c811178070f01d245fcb0c164b1a20648c
Instruction ID: fc57b1452fbe44ff957a8f1d5c28bf9565dcafd2fc98af1eb381366559e0a3a1
Opcode Fuzzy Hash: 628edc3b149923b1e3913897ebc639c811178070f01d245fcb0c164b1a20648c
Instruction Fuzzy Hash: 9E1103B58003489FDB10DF9AC845BDEBFF8EB58720F108419E569A7250C375A584CFA5

Function 05403530 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,05403520,?,?,?,?), ref: 05403595

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: afdccc1216a5b2fd8500c7860fe79d038ac059a8b3d7f92a1b8fe599f896baf6
Instruction ID: 214fdaecc9071cf9b448a654a1307ecd456377c74f8b98b9892ca96e3fc2cd0a
Opcode Fuzzy Hash: afdccc1216a5b2fd8500c7860fe79d038ac059a8b3d7f92a1b8fe599f896baf6
Instruction Fuzzy Hash: 7E1103B58002489FDB10DF9AC489BDEBFF8FB48324F20845AD959A7750C379A944CFA5

Function 0540169C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,05403520,?,?,?,?), ref: 05403595

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: da7cbb16d3d2a94bbfa1c8e20765abd95cd9bbe3879e509720e3685152c0081b
Instruction ID: 047e11e4575617b82ce32dc22bbb38e1119dbcc9a85e2cb220b7772d8d6a9ead
Opcode Fuzzy Hash: da7cbb16d3d2a94bbfa1c8e20765abd95cd9bbe3879e509720e3685152c0081b
Instruction Fuzzy Hash: 9811F5B58002489FDB10DF9AD484BDEBFF8EB48324F20845AE959A7351C375A944CFA5

Function 07707B10 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07708295

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: eec08e47a0ee6cb1bfeeca55208383d4e90b8eebe733c4e6796824a016f37a1f
Instruction ID: 2b8d17026c73d68f482ce45a715a7363f3bd39aa9f4c5f383f2e94ba87de52c1
Opcode Fuzzy Hash: eec08e47a0ee6cb1bfeeca55208383d4e90b8eebe733c4e6796824a016f37a1f
Instruction Fuzzy Hash: 4B1115B5900758CFDB20DFAAC444BDEBFF4EB48364F208459D558A7250C379A944CFA5

Function 07708239 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07708295

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 154d6fc7a07871efa68965e30cd119d52b057c560fff522f90ca25037b938f1e
Instruction ID: 1d11cb33f113b56a618f5ff904e948960ee39b8f3dc4d99c53175127339cc333
Opcode Fuzzy Hash: 154d6fc7a07871efa68965e30cd119d52b057c560fff522f90ca25037b938f1e
Instruction Fuzzy Hash: FE1133B5800348CFCB20CFAAD489BDEBFF4AB48324F24846AD458A7250C375A544CFA5

Function 07704049 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 077040AD

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24f1638bffcc34e9d170f68db1c84706f9e58f89a99edfe3784edc65f77f77dc
Instruction ID: 1c4d09d2bc4d193135f0665e90578e1452cb3ea3c541fb26574c1ecb430cced2
Opcode Fuzzy Hash: 24f1638bffcc34e9d170f68db1c84706f9e58f89a99edfe3784edc65f77f77dc
Instruction Fuzzy Hash: DD11F2B5800359DFDB10DF9AC845BDEBBF8EB48320F208459E558A7250C379A584CFA5

Function 077091B9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(00000000), ref: 0770921D

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 07fee93249a4c174d0dbb4f4d592b6271165b0254cbbe8b8fa6ded68f951e9a9
Instruction ID: 888884fd82628d9f46620cbf5cd9e76a20452a447bf46e4441e081349df4795d
Opcode Fuzzy Hash: 07fee93249a4c174d0dbb4f4d592b6271165b0254cbbe8b8fa6ded68f951e9a9
Instruction Fuzzy Hash: 2811FEB1C00259CFCB10DFAAD844ADEFBF8EB48324F20846AD569A7251C379A544CFA5

Function 077011D0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0770122D

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9b4f6f99ea49643df325ea89199cf17defa004874a083d4b56f92e0e85fce8c
Instruction ID: b47239e339e4dc15fe4436db31cb69be530750eff305d0cc6febab2cdee5b717
Opcode Fuzzy Hash: a9b4f6f99ea49643df325ea89199cf17defa004874a083d4b56f92e0e85fce8c
Instruction Fuzzy Hash: 821100B5800359DFDB10DF9AD884BDEBBF8EB48320F20841AE558A7250C375A984CFA5

Function 07704050 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 077040AD

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a32f90404f08f72e671bca80dc4f1ef2cd021bab82474aa7c56441bdac7cefff
Instruction ID: 0156aeee87ccebe962f411c2baa37a79aeb473d12b2b6ad691fb3a5695b14a31
Opcode Fuzzy Hash: a32f90404f08f72e671bca80dc4f1ef2cd021bab82474aa7c56441bdac7cefff
Instruction Fuzzy Hash: 071103B5800349DFDB10DF9AC444BDEBBF8FB48320F108459D558A7250C375A584CFA5

Function 077091C0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(00000000), ref: 0770921D

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2a8ae6d19b107a269393e9356b8903ed6a1fcce3ed4fe606dd00fc6c7d3f5362
Instruction ID: 9ee0dd749a62b8b46ae5ab2742e7ba0ec0ca2df109498588fd499b592b26050f
Opcode Fuzzy Hash: 2a8ae6d19b107a269393e9356b8903ed6a1fcce3ed4fe606dd00fc6c7d3f5362
Instruction Fuzzy Hash: 811100B1C00259CFCB10DF9AD444BDEFBF4EB48320F10842AD568A7250C378A544CFA5

Function 0931323A Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0931326A

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8f1aad9714b53202cfb029a44afe9c110b727fb8710f3ec084652036e85f9863
Instruction ID: 06d20191bb4558268f7bbe2a55ceb37343a8775d8f3215252389dfa799f77678
Opcode Fuzzy Hash: 8f1aad9714b53202cfb029a44afe9c110b727fb8710f3ec084652036e85f9863
Instruction Fuzzy Hash: F8E04872700714B7CB1CBE79DC2AE7B37AAEB85A50744857DE505CB7A1DE24EC0287A0

Function 09313248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0931326A

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 750bec7e0875b295ca46af513e8e6e89160ccbce14385436338e8f0038d0199f
Instruction ID: 21820fdf9cdff687dc60f0066e55f8dbe455fc378d0224d15e68f9b0d5a8a231
Opcode Fuzzy Hash: 750bec7e0875b295ca46af513e8e6e89160ccbce14385436338e8f0038d0199f
Instruction Fuzzy Hash: E8E01271700224AB8B18BA7AD419C6F77EDAF85A60351456EE406CB361EE65EC028790

Function 0123D428 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505338057.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070409013d3c3e35ceb8b88e19ac5b6e651e74fe18c35d246291ad16eeaf889e
Instruction ID: d275624fec15b5859fbcd5ee130355bfce9e60cf317c5f51215f97dbc92396ad
Opcode Fuzzy Hash: 070409013d3c3e35ceb8b88e19ac5b6e651e74fe18c35d246291ad16eeaf889e
Instruction Fuzzy Hash: 4E2145B1110208DFDB01DF58D9C0B66BF65FBD4314F60C569EA090B256C336E456C7A1

Function 0123D514 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505338057.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc667ac488e6e79324eb0053e12e668c45a2aa9cb5c497ad3c9bd42d6b02463
Instruction ID: fcff0e9157e6ddb8c70561e9b12022f44143ec0d4ddfa24e2b23205298479154
Opcode Fuzzy Hash: 1cc667ac488e6e79324eb0053e12e668c45a2aa9cb5c497ad3c9bd42d6b02463
Instruction Fuzzy Hash: 372142B2510208DFCB01DF58E9C0B2ABF65FBC8318F60C169E9094B296C336D456CAA2

Function 0124D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505383024.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2af1157889464c16ac419c27e0ca1140e42e4fd7011ffa5e132910b4fd6b860
Instruction ID: 9bad82446211a701049bdf35b5e8d1af81ff9a496cb8cd2bed60513468efd50b
Opcode Fuzzy Hash: a2af1157889464c16ac419c27e0ca1140e42e4fd7011ffa5e132910b4fd6b860
Instruction Fuzzy Hash: FB214671614208EFDB09DF98C9C0B26BBA5FB94324F20C66DE9094B357C376D846CA61

Function 0124D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505383024.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fe300090ae8dfc1ff01947f67a363229b24cf16801a9f6a19b0780b34d337a
Instruction ID: 3e9bf77fb310cebe521fdc4a533cb71e1ab13f69b8c8fc0cfd08e9feaa5ad98a
Opcode Fuzzy Hash: f7fe300090ae8dfc1ff01947f67a363229b24cf16801a9f6a19b0780b34d337a
Instruction Fuzzy Hash: 23214270214208DFCB19DFA8D984B26BFA1EB94314F20C56DD90A4B256C37AD407CA61

Function 0124D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505383024.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f538d7ea208d202c13ce37ea958081171c35d2a97689468923043d266a2739c8
Instruction ID: e7112512cbd9b9ce16659d92ba835b3be9fd12a33955ea78e8e5dc54c66937ca
Opcode Fuzzy Hash: f538d7ea208d202c13ce37ea958081171c35d2a97689468923043d266a2739c8
Instruction Fuzzy Hash: E5219F755083849FCB07CF64D994B11BF71EB56314F28C5EAD9498F2A7C33A980ACB62

Function 0123D423 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505338057.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 34385cf41d1567fab0126a48fd24f85936b364bb6dcf6cf04db54acfbaf837ae
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 541103B2404284DFDB12CF54D5C4B56BF71FB94314F24C5AADA090B657C336D45ACBA1

Function 0123D50F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505338057.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 30c0269150213999b75070a8776d702e2f4417c99fa67750fa73416178570b7f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4E1103B2404284CFCB02CF54D5C4B16BF72FB84318F24C5A9D9094B657C336D45ACBA1

Function 0124D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3505383024.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 7942a3ab318ac69144f7dd888e37c2b35bc2e15b268d804522274b08d984f7d2
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B211BB75504284DFDB06CF54C5C4B15BFA1FB84224F24C6AAD9494B297C33AD40ACB61

Non-executed Functions

Function 07704354 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507554203.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58a7985e20db5d5cdb01910d8f5bc8b1651f36540c27218ac9cceabec8bc613
Instruction ID: 72b2d7450dda12871a6a15f20530a7145eb1a874ac18cfda2aaeebee23c2f31a
Opcode Fuzzy Hash: a58a7985e20db5d5cdb01910d8f5bc8b1651f36540c27218ac9cceabec8bc613
Instruction Fuzzy Hash: EBE160F4710691CBDB189B34C598A2D72E6AFDA684F14486AD606CB3E5DF34DC02CBC2

Function 0931C790 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e553dc66a8ef263a5007bdeca67936b18e15f21248369156e994eccc46788e
Instruction ID: b73bfe351aaac3afc6bbd3e63811eb8497d2abd2984321a3545bad516a9b83e5
Opcode Fuzzy Hash: 29e553dc66a8ef263a5007bdeca67936b18e15f21248369156e994eccc46788e
Instruction Fuzzy Hash: 79F1A074D012298FCB64DF69C984BDDBBF2AF89304F1491E9D449AB265DB309E85CF40

Function 05401A50 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826800215101402dce2bb48da89323f7a81717657a4be54389b0d936426bb12d
Instruction ID: 38a5bb6da42154c92418e98390c7edb3095761cdcc37587c40318c56bcda2401
Opcode Fuzzy Hash: 826800215101402dce2bb48da89323f7a81717657a4be54389b0d936426bb12d
Instruction Fuzzy Hash: D71296B2411746CAE732CF25EC4C18A7BB1FB41318F50630AD2666B2E9DBB4156BCF48

Function 05400C88 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e30b358115562bc58a444cd9f2bec047ccb2892c4b591b7f71d78f315a46e8
Instruction ID: cb7193e1d9906a143cf94f33739efd84d03ed409dd08e63aaa05d6d488a4df09
Opcode Fuzzy Hash: 85e30b358115562bc58a444cd9f2bec047ccb2892c4b591b7f71d78f315a46e8
Instruction Fuzzy Hash: DBA14F32E102168FCF19DFB4C8445DEB7B2FF84301B6545BAE80AAB265DB71E956CB40

Function 05401A40 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3506670531.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3deecb7688ba284e30927c6cf2933d48d07b4c2b19beca7ff137e2777940fe
Instruction ID: cba681cad95a13f57d44a8f15a23d4b619c55fc3e20354fc61e91acc94359502
Opcode Fuzzy Hash: 6e3deecb7688ba284e30927c6cf2933d48d07b4c2b19beca7ff137e2777940fe
Instruction Fuzzy Hash: 94C1ECB2810746CBD722DF64EC4C18A7BB1FB85318F50670AD1626B2E8DBB4156BCF48

Function 09319F11 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c580ae2cc60db777f4e42e3686cd4c8cb604754dee0874b2478b20611416f033
Instruction ID: e8c8f83ac2f60d19dd21e8010ad952ced2cefd605d62e91c9e2e1b4f641a0528
Opcode Fuzzy Hash: c580ae2cc60db777f4e42e3686cd4c8cb604754dee0874b2478b20611416f033
Instruction Fuzzy Hash: C7A1C23494522ACFDB29CF24C998BE9BBB1BF49305F1485E9E409A7261DB349EC5CF40

Function 0931C781 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cacf88b127bc375000704d1cf568631d228c6f1025d785765c9fa7602210667
Instruction ID: 80574e9ca131c89ff7d27dd8c0da2e63c2225453c4412fe05eaaaddd2baa0cfa
Opcode Fuzzy Hash: 8cacf88b127bc375000704d1cf568631d228c6f1025d785765c9fa7602210667
Instruction Fuzzy Hash: 7A819074E402298FDB69DF69C9907DEBBB2AF89304F1091E9D40DA7264DB305E85CF41

Function 0931D478 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5099bdf6ae3b958939ff475e2c6e485eb7a47781ab6b9b30304389f3813c52
Instruction ID: 1fe53fd7947529b0d06ef15bdeed86100a0d0034db4d9c6f14af7ff3259e0d57
Opcode Fuzzy Hash: dd5099bdf6ae3b958939ff475e2c6e485eb7a47781ab6b9b30304389f3813c52
Instruction Fuzzy Hash: B86170B5E012199FCB08CFAAD98099EFBF2BF89300F14D129E419AB254DB346946CF50

Function 0931D469 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217fe4ad7355e3e9c7b68340250ff3cc481704e490c4de0beaf8b018a810a441
Instruction ID: debe252f8f9f32b7b2272e2e0740e17c45e1c98a4df6b89d35e2e824a5db7198
Opcode Fuzzy Hash: 217fe4ad7355e3e9c7b68340250ff3cc481704e490c4de0beaf8b018a810a441
Instruction Fuzzy Hash: F931A2B5E016199BDB18CFAAD8446DEFBF2AFC9300F14C12AD418BB254DB341946CF50

Function 0931B5C0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507654113.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad775df7ed0d6ed7858d3cc9c195ab1d782cb6fdfce3318bb03a33b3220559b3
Instruction ID: 379d7f9ba1d0b18afb2482e8b9cfa700fb303a1a583652771a348bccec354eac
Opcode Fuzzy Hash: ad775df7ed0d6ed7858d3cc9c195ab1d782cb6fdfce3318bb03a33b3220559b3
Instruction Fuzzy Hash: 8E318C75E056288BEB68CF679C447DAFAF7AFC9300F04C1BAD44CA6254DB301A858F41

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\BimStep\Settings.cfg

C:\Users\user\Desktop\Flistnew.ini

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
SecuriteInfo.com.W32.ABTrojan.TFWF-7096.22699.18150.exe

Function 077084D1 Relevance: 5.4, Strings: 4, Instructions: 366
COMMON

Function 093188F0 Relevance: 4.1, Strings: 3, Instructions: 323
COMMON

Function 093188E0 Relevance: 4.0, Strings: 3, Instructions: 250
COMMON

Function 05400A30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON