Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.5595.4189

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.5595.4189 (renamed file extension from 4189 to exe)
Analysis ID:659059
MD5:8a743553a12d1c6cbf3bb3714410e034
SHA1:7225b7233ad25d7b426cacee1df9ade262e67520
SHA256:6e7ed6e2800cb45547906279f027fe098d08bb0dbc517ce41fe0ebe33222ab99
Tags:AgentTeslaexe
Infos:

Detection

BluStealer, SpyEx
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected SpyEx stealer
Malicious sample detected (through community Yara rule)
Yara detected BluStealer
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • SecuriteInfo.com.W32.AIDetectNet.01.5595.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe" MD5: 8A743553A12D1C6CBF3BB3714410E034)
    • powershell.exe (PID: 7036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Exfil Mode": "SMTP", "From": "\"t.liaen@yandex.com\"", "To": "t.liaen@yandex.com", "SMTP Server": "lCC\u007f+wxN@|f\nBy"}
SourceRuleDescriptionAuthorStrings
00000008.00000002.704326968.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.704326968.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SpyEx_1Yara detected SpyEx stealerJoe Security
      00000000.00000003.444443907.0000000003926000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000003.490679051.0000000003B4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.490679051.0000000003B4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SpyEx_1Yara detected SpyEx stealerJoe Security
            Click to see the 27 entries
            SourceRuleDescriptionAuthorStrings
            0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.3b56028.8.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.3b56028.8.raw.unpackJoeSecurity_SpyEx_1Yara detected SpyEx stealerJoe Security
                0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.39656d3.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.4e70000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.4e70000.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 34 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeVirustotal: Detection: 40%Perma Link
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeReversingLabs: Detection: 43%
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeAvira: detected
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exeVirustotal: Detection: 40%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exeReversingLabs: Detection: 43%
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exeJoe Sandbox ML: detected
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.13.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.3b56028.8.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.450000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
                      Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.450000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 7.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.11.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 7.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 7.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.39e1d80.4.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.7.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.3ba6048.9.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
                      Source: 7.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.ce0000.5.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 7.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
                      Source: 8.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.400000.0.raw.unpackMalware Configuration Extractor: BluStealer {"Exfil Mode": "SMTP", "From": "\"t.liaen@yandex.com\"", "To": "t.liaen@yandex.com", "SMTP Server": "lCC\u007f+wxN@|f\nBy"}
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Work\SQLiteForExcel\Source\SQLite3_StdCall\Release\SQLite3_StdCall.pdb0. source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529484906.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.705848358.000000001000B000.00000002.00000001.01000000.0000000B.sdmp, SQLite3_StdCall.dll.8.dr
                      Source: Binary string: protobuf-net.pdbSHA256 source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Work\SQLiteForExcel\Source\SQLite3_StdCall\Release\SQLite3_StdCall.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529484906.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.705848358.000000001000B000.00000002.00000001.01000000.0000000B.sdmp, SQLite3_StdCall.dll.8.dr
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Users\Public\4334444639304441384146393044\SQLite3_StdCall.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Users\user\AppData\Local\Google\Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Users\Public\4334444639304441384146393044\SQLite3.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0280E8C8
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.502969930.0000000002901000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503255880.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503276267.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503268704.0000000002B0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.502969930.0000000002901000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                      System Summary

                      barindex
                      Source: 00000000.00000002.503541674.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                      Source: 00000000.00000002.505240066.0000000003AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, xtu.csLarge array initialization: qii: array initializer size 708058
                      Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.450000.0.unpack, xtu.csLarge array initialization: qii: array initializer size 708058
                      Source: 7.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.0.unpack, xtu.csLarge array initialization: qii: array initializer size 708058
                      Source: 7.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.3.unpack, xtu.csLarge array initialization: qii: array initializer size 708058
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000000.00000002.503541674.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 00000000.00000002.505240066.0000000003AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028012190_2_02801219
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028012280_2_02801228
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_02800F0B0_2_02800F0B
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_02800F180_2_02800F18
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028822780_2_02882278
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_02885BF00_2_02885BF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028848400_2_02884840
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_02881E580_2_02881E58
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028826700_2_02882670
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028857710_2_02885771
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028822690_2_02882269
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_02885BE00_2_02885BE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028840B80_2_028840B8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028800070_2_02880007
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028848310_2_02884831
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028826600_2_02882660
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028609680_2_02860968
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 0_2_028800400_2_02880040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_10008C5B8_2_10008C5B
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_100096E38_2_100096E3
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_1000AB3C8_2_1000AB3C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_1000919F8_2_1000919F
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_10009DDB8_2_10009DDB
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_100041EB8_2_100041EB
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: String function: 00403202 appears 327 times
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.501869229.0000000000502000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMT_68312.exeB vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.502969930.0000000002901000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506007712.0000000004D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameYhezobkundwyvw.dll" vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503086371.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameabacus.exe vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.491472337.0000000003C3D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameabacus.exe vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000007.00000000.492565968.00000000003A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMT_68312.exeB vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000000.500591295.0000000000497000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameabacus.exe vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.704326968.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameabacus.exe vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000000.496089277.0000000000D92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMT_68312.exeB vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.525548641.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529653327.0000000003EE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529505154.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.525584977.0000000003EED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529547803.0000000003EEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.525493096.0000000003EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.525470221.0000000003EEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.525603775.0000000003EF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529697322.0000000003EEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeBinary or memory string: OriginalFilenameMT_68312.exeB vs SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeSection loaded: zipfldr.dllJump to behavior
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: notes.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeVirustotal: Detection: 40%
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeReversingLabs: Detection: 43%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeJump to behavior
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YajeuJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajieobpm.51w.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/13@0/0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.706002917.0000000060966000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.8.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.704326968.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: E*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeBinary or memory string: I*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.490679051.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.505240066.0000000003AC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.704326968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000000.500293865.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: `IF0@`I*\AC:\Users\Dell\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeString found in binary or memory: Addresses:GAddress for {0} count not be found./Address updated for {0}
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Work\SQLiteForExcel\Source\SQLite3_StdCall\Release\SQLite3_StdCall.pdb0. source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529484906.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.705848358.000000001000B000.00000002.00000001.01000000.0000000B.sdmp, SQLite3_StdCall.dll.8.dr
                      Source: Binary string: protobuf-net.pdbSHA256 source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.445358931.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.503376807.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000000.00000002.506263882.0000000004E10000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Work\SQLiteForExcel\Source\SQLite3_StdCall\Release\SQLite3_StdCall.pdb source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000003.529484906.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, 00000008.00000002.705848358.000000001000B000.00000002.00000001.01000000.0000000B.sdmp, SQLite3_StdCall.dll.8.dr

                      Data Obfuscation

                      barindex
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.39656d3.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.4e70000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.4e70000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.39e56f3.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.3ae55b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.444443907.0000000003926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503255880.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.444916693.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.506443549.0000000004E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.502969930.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503230604.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503268704.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503276267.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe PID: 6952, type: MEMORYSTR
                      Source: SecuriteInfo.com.W32.AIDetectNet.01.5595.exe, xtu.cs.Net Code: qij System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.450000.0.unpack, xtu.cs.Net Code: qij System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.0.unpack, xtu.cs.Net Code: qij System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.SecuriteInfo.com.W32.AIDetectNet.01.5595.exe.2f0000.3.unpack, xtu.cs.Net Code: qij System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_0040B4E5 push esp; retf 8_2_0040B4EB
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_0040C23E push 0B88B6BFh; retf 8_2_0040C248
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_10002E11 push ecx; ret 8_2_10002E24
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeCode function: 8_2_10006A98 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,8_2_10006A98
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.998461587691195
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.998461587691195
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\Public\4334444639304441384146393044\SQLite3_StdCall.dllJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\Public\4334444639304441384146393044\sqlite3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exeJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YajeuJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yajeu\notes.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.5595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sec