Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.19723.25833

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.19723.25833 (renamed file extension from 25833 to exe)
Analysis ID:615403
MD5:a27c8ee8b37605f3c05e4eb4d614f359
SHA1:6a8b97217d52a752075b08207bad7d7c867a8854
SHA256:910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.unitelha.com/", "Username": "kilop@unitelha.com", "Password": "Wljp?j]gQwC?"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.378112998.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x327e8:$s10: logins
                • 0x66a08:$s10: logins
                • 0x3224f:$s11: credential
                • 0x6646f:$s11: credential
                • 0x2e82e:$g1: get_Clipboard
                • 0x62a4e:$g1: get_Clipboard
                • 0x2e83c:$g2: get_Keyboard
                • 0x62a5c:$g2: get_Keyboard
                • 0x2e849:$g3: get_Password
                • 0x62a69:$g3: get_Password
                • 0x2fb58:$g4: get_CtrlKeyDown
                • 0x63d78:$g4: get_CtrlKeyDown
                • 0x2fb68:$g5: get_ShiftKeyDown
                • 0x63d88:$g5: get_ShiftKeyDown
                • 0x2fb79:$g6: get_AltKeyDown
                • 0x63d99:$g6: get_AltKeyDown
                2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 30 entries

                    Sigma Signatures

                    There are no malicious signatures, click here to show all signatures.

                    Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, CommandLine: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, NewProcessName: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, OriginalFileName: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe" , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, ParentProcessId: 5840, ParentProcessName: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, ProcessCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, ProcessId: 2508, ProcessName: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.unitelha.com/", "Username": "kilop@unitelha.com", "Password": "Wljp?j]gQwC?"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeVirustotal: Detection: 27%Perma Link
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeReversingLabs: Detection: 21%
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeJoe Sandbox ML: detected
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Joe Sandbox ViewASN Name: ALMOUROLTECPT ALMOUROLTECPT
                    Source: unknownFTP traffic detected: 130.185.84.152:21 -> 192.168.2.6:49741 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.unitelha.com/kilop
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MaQvjL.com
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.634279983.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.unitelha.com
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.634267246.000000000332C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: ftp.unitelha.com
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.374500466.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3ba53c8.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3ba53c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bC218DA29u002d3671u002d4142u002dBD88u002d09FBD8C3393Cu007d/u00304B15681u002dD571u002d4C21u002d938Du002dC3C29594E26A.csLarge array initialization: .cctor: array initializer size 11605
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bC218DA29u002d3671u002d4142u002dBD88u002d09FBD8C3393Cu007d/u00304B15681u002dD571u002d4C21u002d938Du002dC3C29594E26A.csLarge array initialization: .cctor: array initializer size 11605
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bC218DA29u002d3671u002d4142u002dBD88u002d09FBD8C3393Cu007d/u00304B15681u002dD571u002d4C21u002d938Du002dC3C29594E26A.csLarge array initialization: .cctor: array initializer size 11605
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC218DA29u002d3671u002d4142u002dBD88u002d09FBD8C3393Cu007d/u00304B15681u002dD571u002d4C21u002d938Du002dC3C29594E26A.csLarge array initialization: .cctor: array initializer size 11605
                    Source: 2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC218DA29u002d3671u002d4142u002dBD88u002d09FBD8C3393Cu007d/u00304B15681u002dD571u002d4C21u002d938Du002dC3C29594E26A.csLarge array initialization: .cctor: array initializer size 11605
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3ba53c8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3ba53c8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_0292A078
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_0292A9C8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_02929AD8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_0292A9BA
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_0292EEB0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_02929AC8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_061A0006
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_061A0040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_061A2E50
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_00722FF1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_02DFF3C8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_02DFF080
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_0675D228
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_0675CB90
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_06759850
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_0675E048
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_067565A0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_06751F28
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_06750040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_067574B9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_067575B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_0676DF21
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_06768184
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_00BF2FF1
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekqdUkOuMkGzolndCdJfRkglQYHUXM.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.378112998.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekqdUkOuMkGzolndCdJfRkglQYHUXM.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.379999331.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.374500466.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.379121625.00000000051C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFuncAttribute.dll" vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekqdUkOuMkGzolndCdJfRkglQYHUXM.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekqdUkOuMkGzolndCdJfRkglQYHUXM.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.632747327.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.632876241.000000000136A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeBinary or memory string: OriginalFilenameCALLC.exe8 vs SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeVirustotal: Detection: 27%
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeReversingLabs: Detection: 21%
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeMutant created: \Sessions\1\BaseNamedObjects\PwWjJazXCWbBZRHqXuEfC
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 1_2_0072A39B push cs; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_00BFA39B push cs; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_02DF3480 push FFFFFF8Bh; iretd
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_0676142F push edi; retn 0000h
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.87323976123
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000001.00000002.375601643.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID: 5840, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375601643.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375601643.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe TID: 2460Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe TID: 5160Thread sleep time: -21213755684765971s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe TID: 68Thread sleep count: 5966 > 30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe TID: 68Thread sleep count: 2777 > 30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWindow / User API: threadDelayed 5966
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWindow / User API: threadDelayed 2777
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeThread delayed: delay time: 922337203685477
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.632974126.00000000013CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeCode function: 2_2_0675E048 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3ba53c8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.378112998.0000000003DD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.371337269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.372498524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.372086381.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.632505310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID: 5840, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID: 2508, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID: 2508, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3dd6c40.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3ba53c8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.3bdb5e8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.378112998.0000000003DD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.371337269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.372498524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.372086381.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.632505310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID: 5840, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID: 2508, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception11
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		Automated Exfiltration11
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model1
                    Data from Local System                    		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.W32.AIDetectNet.01.19723.exe28%VirustotalBrowse
                    SecuriteInfo.com.W32.AIDetectNet.01.19723.exe21%ReversingLabsWin32.Trojan.AgentTesla
                    SecuriteInfo.com.W32.AIDetectNet.01.19723.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    2.2.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    2.0.SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://MaQvjL.com0%Avira URL Cloudsafe
                    http://ftp.unitelha.com0%Avira URL Cloudsafe
                    ftp://ftp.unitelha.com/kilop0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ftp.unitelha.com
                    		130.185.84.152
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://MaQvjL.comSecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ftp.unitelha.comSecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.634279983.0000000003338000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.634267246.000000000332C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        ftp://ftp.unitelha.com/kilopSecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiSecuriteInfo.com.W32.AIDetectNet.01.19723.exe, 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        130.185.84.152
                        		ftp.unitelha.comPortugal
                        		24768ALMOUROLTECPTtrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:615403
                        Start date and time: 26/04/202207:00:272022-04-26 07:00:27 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 53s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:SecuriteInfo.com.W32.AIDetectNet.01.19723.25833 (renamed file extension from 25833 to exe)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:18
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                        EGA Information:
                        • Successful, ratio: 50%
                        HDC Information:
                        • Successful, ratio: 0.2% (good quality ratio 0.1%)
                        • Quality average: 48%
                        • Quality standard deviation: 33%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Execution Graph export aborted for target SecuriteInfo.com.W32.AIDetectNet.01.19723.exe, PID 5840 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        07:01:38API Interceptor797x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.19723.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2271
                        Entropy (8bit):5.364115343032043
                        Encrypted:false
                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvmHKiQHKx1qHxvAHj:iqXeqm00YqhQnouRqjntIxHeqz+qBqxz
                        MD5:2AC349459A771367D95FB2E5271E538F
                        SHA1:FC9D5F6DDFC0D588E344C98EBC48E37C5E587E77
                        SHA-256:0F36341CBF0410D1ACE0A351ABCA5343D2073F92ABC2B54C1E92767B9FCF0074
                        SHA-512:9DF1CAC11964291805C7914E319A1C6F73FFCF458EBD32BD615ECD65FB94BC6880461FF60F6589CAB2A165A6C4DCDA83F50E18D965413A0D48A59A1E51B7EAC6
                        Malicious:true
                        Reputation:low
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.856549843950473
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                        File size:650240
                        MD5:a27c8ee8b37605f3c05e4eb4d614f359
                        SHA1:6a8b97217d52a752075b08207bad7d7c867a8854
                        SHA256:910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384
                        SHA512:769fe817c1616f80672a63ad8a8464c26aa4374e569343df04feab22a3a1193eac5f7eee5fb3afaa94ed28792da492659c2b02220f0197c1b89641a0d7f9f536
                        SSDEEP:12288:STId9kv1FSJqWFQGPHIn0M8h/1JlK4IIIIQqJqi+p:rd9gSqHGPa0L/1JUiIIci0
                        TLSH:C8D4122BF354B212CEB507B644567C9199FBBE272137DB8F548C7A29E6333E08A53061
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ogb..............0.............J.... ........@.. .......................@............@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x49fb4a
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x62674F11 [Tue Apr 26 01:46:57 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        and byte ptr [eax], al
                        or al, byte ptr [eax]
                        or eax, 2D000900h
                        add byte ptr [eax], dh
                        add byte ptr [ecx], dh
                        add byte ptr [edx], dh
                        add byte ptr [ebx], dh
                        add byte ptr [eax+eax], dh
                        xor eax, 37003600h
                        add byte ptr [eax], bh
                        add byte ptr [ecx], bh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9faf80x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x5b0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x9db700x9dc00False0.908947541105data7.87323976123IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0xa00000x5b00x800False0.318359375data3.30301138268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xa20000xc0x400False0.025390625data0.0558553080537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0xa00900x320data
                        RT_MANIFEST0xa03c00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright Soltys 2010
                        Assembly Version1.0.0.0
                        InternalNameCALLC.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductNamedotXMLTools
                        ProductVersion1.0.0.0
                        FileDescriptiondotXMLTools
                        OriginalFilenameCALLC.exe

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 26, 2022 07:01:56.847805023 CEST4974121192.168.2.6130.185.84.152
                        Apr 26, 2022 07:01:56.895060062 CEST2149741130.185.84.152192.168.2.6
                        Apr 26, 2022 07:01:56.895224094 CEST4974121192.168.2.6130.185.84.152
                        Apr 26, 2022 07:01:56.915653944 CEST4974121192.168.2.6130.185.84.152
                        Apr 26, 2022 07:01:56.945121050 CEST2149741130.185.84.152192.168.2.6
                        Apr 26, 2022 07:01:56.945218086 CEST4974121192.168.2.6130.185.84.152
                        Apr 26, 2022 07:01:56.963036060 CEST2149741130.185.84.152192.168.2.6
                        Apr 26, 2022 07:01:56.963162899 CEST4974121192.168.2.6130.185.84.152
                        Apr 26, 2022 07:01:56.963299990 CEST2149741130.185.84.152192.168.2.6
                        Apr 26, 2022 07:01:56.963385105 CEST4974121192.168.2.6130.185.84.152

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 26, 2022 07:01:56.730844975 CEST5095853192.168.2.68.8.8.8
                        Apr 26, 2022 07:01:56.757020950 CEST53509588.8.8.8192.168.2.6

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Apr 26, 2022 07:01:56.730844975 CEST192.168.2.68.8.8.80xcc6cStandard query (0)ftp.unitelha.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Apr 26, 2022 07:01:56.757020950 CEST8.8.8.8192.168.2.60xcc6cNo error (0)ftp.unitelha.com130.185.84.152A (IP address)IN (0x0001)

                        FTP Packets

                        TimestampSource PortDest PortSource IPDest IPCommands
                        Apr 26, 2022 07:01:56.945121050 CEST2149741130.185.84.152192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.220-This is a private system - No anonymous login
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 06:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                        Apr 26, 2022 07:01:56.963036060 CEST2149741130.185.84.152192.168.2.6220 Logout.

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:07:01:36
                        Start date:26/04/2022
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"
                        Imagebase:0x720000
                        File size:650240 bytes
                        MD5 hash:A27C8EE8B37605F3C05E4EB4D614F359
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.376573034.0000000003BA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.378112998.0000000003DD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.378112998.0000000003DD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.375601643.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.375072023.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low

                        General

                        Target ID:2
                        Start time:07:01:39
                        Start date:26/04/2022
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
                        Imagebase:0xbf0000
                        File size:650240 bytes
                        MD5 hash:A27C8EE8B37605F3C05E4EB4D614F359
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.371685383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.371337269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.371337269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.372498524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.372498524.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.372086381.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.372086381.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.632505310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.632505310.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.633680403.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low

                        Disassembly

                        No disassembly