Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.18072.21111

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetectNet.01.18072.21111 (renamed file extension from 21111 to exe)
Analysis ID:682146
MD5:62d82f1dfb55dde5554c8b278a819ac9
SHA1:01e84f817807005f8d557d5320ddf9c366486620
SHA256:7b968e65480e574dbf93ace25a28a30ca1f7b77fa98aabe980435484c365efbc
Tags:exe
Infos:

Detection

StormKitty
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Yara detected StormKitty Stealer
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.AIDetectNet.01.18072.exe (PID: 4288 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe" MD5: 62D82F1DFB55DDE5554C8B278A819AC9)
    • MSBuild.exe (PID: 4144 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
    • MSBuild.exe (PID: 5640 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • AppLaunch.exe (PID: 60 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x327c:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x316c:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x3c02:$op3: 00 04 03 69 91 1B 40
    • 0x4452:$op3: 00 04 03 69 91 1B 40
    00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
        00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.raw.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
          • 0x17ef0:$s1: Temporary Directory * for
          • 0x17f4c:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
          • 0x17904:$s6: Content-Disposition: form-data; name="document"; filename="
          • 0x17e7c:$s7: CopyHere
          • 0x17e44:$s9: shell.application
          • 0x17e9c:$s9: Shell.Application
          • 0x17a64:$s10: SetRequestHeader
          • 0x17ffc:$s12: @TITLE Removing
          • 0x18034:$s13: @RD /S /Q "
          0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
          • 0x17ef0:$s1: Temporary Directory * for
          • 0x17f4c:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
          • 0x17904:$s6: Content-Disposition: form-data; name="document"; filename="
          • 0x17e7c:$s7: CopyHere
          • 0x17e44:$s9: shell.application
          • 0x17e9c:$s9: Shell.Application
          • 0x17a64:$s10: SetRequestHeader
          • 0x17ffc:$s12: @TITLE Removing
          • 0x18034:$s13: @RD /S /Q "
          5.0.MSBuild.exe.400000.0.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
          • 0x17ef0:$s1: Temporary Directory * for
          • 0x17f4c:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
          • 0x17904:$s6: Content-Disposition: form-data; name="document"; filename="
          • 0x17e7c:$s7: CopyHere
          • 0x17e44:$s9: shell.application
          • 0x17e9c:$s9: Shell.Application
          • 0x17a64:$s10: SetRequestHeader
          • 0x17ffc:$s12: @TITLE Removing
          • 0x18034:$s13: @RD /S /Q "
          6.0.AppLaunch.exe.12b0000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x347c:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x336c:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x3e02:$op3: 00 04 03 69 91 1B 40
          • 0x4652:$op3: 00 04 03 69 91 1B 40
          6.0.AppLaunch.exe.12b0000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeVirustotal: Detection: 37%Perma Link
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeReversingLabs: Detection: 22%
            Machine Learning detection for sample
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeJoe Sandbox ML: detected
            Source: 5.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpackAvira: Label: TR/Dropper.Gen
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdb source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdbDO source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: icanhazip.com
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: icanhazip.com
            Yara detected Generic Downloader
            Source: Yara matchFile source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.18.115.97 104.18.115.97
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: AppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
            Source: AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
            Source: AppLaunch.exe, 00000006.00000002.278289378.00000000074EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com4
            Source: AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom9
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242609831.0000000005758000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242565843.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.264148491.0000000005753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como&
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232034414.000000000575B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232090615.000000000575B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232053595.000000000575B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn75
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.234226531.000000000574E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265577466.0000000000987000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//2(o$
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//s
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/22
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=2
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y02
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=2
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s2Lo
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270617234.0000000003774000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000000.262112216.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: AppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
            Source: unknownDNS traffic detected: queries for: 46.138.7.0.in-addr.arpa
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
            Source: 5.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
            Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
            Source: 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
            .NET source code contains very large strings
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, VideoCollection/MainForm.csLong String: Length: 31313
            Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.340000.0.unpack, VideoCollection/MainForm.csLong String: Length: 31313
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
            Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
            Source: 5.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
            Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_0264C374
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_0264E671
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_0264E680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_046911C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_04694E98
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_046911C6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_046911B9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_04690B80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_04690B90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EB5CB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EB5550
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EBF280
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EB1A68
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EFDFD8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EF0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058B76F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058BAC10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058B6E28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058B6AE0
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.275167015.0000000006ED0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.275507123.00000000071C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265951669.0000000002671000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265951669.0000000002671000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265951669.0000000002671000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecussedness.exe vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270016242.0000000003679000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecussedness.exe vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000000.226526470.00000000003CE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNuwi.exe@ vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeBinary or memory string: OriginalFilenameNuwi.exe@ vs SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeVirustotal: Detection: 37%
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeReversingLabs: Detection: 22%
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@2/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270617234.0000000003774000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000000.262112216.0000000000401000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: B*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp8bA
            Source: MSBuild.exe, 00000005.00000002.491480899.0000000000421000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hA*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, Linq4you/FileZilla.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, Linq4you/SystemInfo.csCryptographic APIs: 'CreateDecryptor'
            Source: 6.0.AppLaunch.exe.12b0000.0.unpack, ThunderFox/MozillaTFOXPBE.csCryptographic APIs: 'TransformFinalBlock'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdb source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdbDO source: AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, VideoCollection/MainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.340000.0.unpack, VideoCollection/MainForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_04692116 push 00000033h; retn 8589h
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EB75F1 push dword ptr [esp-75h]; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EF3783 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EF3780 pushad ; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeCode function: 0_2_06EF42D0 pushfd ; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058B229A pushfd ; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058B42A0 pushfd ; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058BBCB8 push eax; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.562192679273532
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe TID: 5468Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5192Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3576Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
            Source: AppLaunch.exe, 00000006.00000002.276639658.00000000056A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: AppLaunch.exe, 00000006.00000002.276639658.00000000056A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareK2PEL8NWWin32_VideoController95YFH3V7VideoController120060621000000.000000-00093.61714display.infMSBDA632TZBCUPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZPZ9O9OF
            Source: AppLaunch.exe, 00000006.00000002.276639658.00000000056A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.266242258.00000000026E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 6_2_058B07B8 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 421000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 10AF008
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR
            Yara detected StormKitty Stealer
            Source: Yara matchFile source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.278474507.000000000753B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe PID: 4288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR
            Yara detected StormKitty Stealer
            Source: Yara matchFile source: 6.0.AppLaunch.exe.12b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 60, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts131
            Windows Management Instrumentation            		Path Interception211
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		231
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		1
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
            Process Injection            		NTDS1
            Remote System Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common3
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items13
            Software Packing            		DCSync34
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.W32.AIDetectNet.01.18072.exe38%VirustotalBrowse
            SecuriteInfo.com.W32.AIDetectNet.01.18072.exe22%ReversingLabsByteCode-MSIL.Infostealer.Generic
            SecuriteInfo.com.W32.AIDetectNet.01.18072.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.0.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            0.2.SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.3775250.2.unpack100%AviraTR/Dropper.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            46.138.7.0.in-addr.arpa0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://icanhazip.com40%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/=20%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.fontbureau.comcom90%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp//s0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fonts.comc0%URL Reputationsafe
            http://www.fontbureau.como&0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/s2Lo0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y020%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//2(o$0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
            http://www.fontbureau.comlvfet0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
            http://www.fontbureau.comalic0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/220%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/=20%Avira URL Cloudsafe
            http://www.fonts.comn750%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            icanhazip.com
            		104.18.115.97
            		truefalse
              		high
              46.138.7.0.in-addr.arpa
              		unknown
              		unknownfalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://icanhazip.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fontbureau.com/designersGSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/botSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270617234.0000000003774000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000000.262112216.0000000000401000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      http://icanhazip.com4AppLaunch.exe, 00000006.00000002.278289378.00000000074EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/=2SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.krSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comcom9SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp//sSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.comSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.265577466.0000000000987000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comicSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232090615.000000000575B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/LimerBoy/StormKittyAppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://icanhazip.comAppLaunch.exe, 00000006.00000002.277763256.0000000007421000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.urwpp.deDPleaseSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000006.00000002.278255663.00000000074E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comcSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232034414.000000000575B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.como&SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.jiyu-kobo.co.jp/s2LoSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y02SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp//2(o$SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.234226531.000000000574E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/oSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comlvfetSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242460534.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.241663603.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242609831.0000000005758000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.242565843.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.264148491.0000000005753000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.commSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.238153037.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000002.273219672.0000000006952000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/eSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comalicSecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.239067222.0000000005755000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/22SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236731661.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.236769351.0000000005743000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/=2SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237224324.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237416278.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237559788.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237693783.000000000574C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237887447.0000000005757000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237133726.0000000005755000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.237478456.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fonts.comn75SecuriteInfo.com.W32.AIDetectNet.01.18072.exe, 00000000.00000003.232053595.000000000575B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.18.115.97
                                            		icanhazip.comUnited States
                                            		13335CLOUDFLARENETUSfalse

                                            General Information

                                            Joe Sandbox Version:35.0.0 Citrine
                                            Analysis ID:682146
                                            Start date and time:2022-08-11 06:30:06 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 7m 1s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:SecuriteInfo.com.W32.AIDetectNet.01.18072.21111 (renamed file extension from 21111 to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/2@2/1
                                            EGA Information:
                                            • Successful, ratio: 66.7%
                                            HDC Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Execution Graph export aborted for target MSBuild.exe, PID 5640 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            06:31:16API Interceptor1x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.18072.exe modified
                                            06:31:23API Interceptor903x Sleep call for process: MSBuild.exe modified
                                            06:31:29API Interceptor1x Sleep call for process: AppLaunch.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1036
                                            Entropy (8bit):5.356180291633412
                                            Encrypted:false
                                            SSDEEP:24:MLasXE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MNH2HKXwYHKhQnoPtHoxHhAHKzvKvj
                                            MD5:7F8E631F679DF67A018544E516CF841E
                                            SHA1:02F03B1AB3CF33821236F743139693A61906A72B
                                            SHA-256:1FB2E1F28E4A338CD7E04A147E290E1DD880E83054BB2BA48EF6038EBA0BFACD
                                            SHA-512:4F7FD1AC6D22F8891F77BD3359EB0A536AB8E8A3D064BBAAB6620826F6B9FC8FC18DAB73474DB4806ED9CD1F5652549D7122E1DE8E5741010E7B3BE3F79EBBB7
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral,

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                            MD5:69206D3AF7D6EFD08F4B4726998856D3
                                            SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                            SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                            SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.559415867177912
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
                                            File size:581632
                                            MD5:62d82f1dfb55dde5554c8b278a819ac9
                                            SHA1:01e84f817807005f8d557d5320ddf9c366486620
                                            SHA256:7b968e65480e574dbf93ace25a28a30ca1f7b77fa98aabe980435484c365efbc
                                            SHA512:e1e629f928a1596325af166a50248794d0a4c8129442b25dd514a5ec6e9eef39c1d8867db6f85a72ffd3f0aa349c28af7ff70dd58027f8a04e15a8cb491a1d54
                                            SSDEEP:12288:M3Ih6jMEb6Qyxao8Fhyq+rqSAl4zXh2J3Fi7mX/IkQkk36EZd/gnS9ZviI:W9Jb6Q28Fu9AvPI2k71fB
                                            TLSH:2BC4D02125A97229E0397BB51DD770A107F5F622DE06F57F3CB931860251E838BAE732
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Qi.b..............P......4........... ........@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:d4eaccb4e4c8bac4

                                            Static PE Info

                                            General

                                            Entrypoint:0x48c90e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x62F46951 [Thu Aug 11 02:28:33 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            inc edx
                                            add byte ptr [eax+eax+41h], al
                                            add byte ptr [ecx+00h], al
                                            inc ebx
                                            add byte ptr [ecx+00h], al
                                            inc edx
                                            add byte ptr [ecx+00h], al
                                            inc ebx
                                            add byte ptr [eax+eax+42h], al
                                            add byte ptr [ebx+00h], al
                                            inc esp
                                            add byte ptr [ecx+00h], al
                                            inc esp
                                            add byte ptr [ebx+00h], al
                                            inc ebx
                                            add byte ptr [edx+00h], al
                                            inc esp
                                            add byte ptr [ecx+00h], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8c8bc0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x30a4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x8a93c0x8aa00False0.8138402417718665data7.562192679273532IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x8e0000x30a40x3200False0.91921875data7.63895625946023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x920000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x8e0c80x2c63PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                            RT_GROUP_ICON0x90d3c0x14data
                                            RT_VERSION0x90d600x340data

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 11, 2022 06:31:28.024966955 CEST4975780192.168.2.4104.18.115.97
                                            Aug 11, 2022 06:31:28.042078972 CEST8049757104.18.115.97192.168.2.4
                                            Aug 11, 2022 06:31:28.042203903 CEST4975780192.168.2.4104.18.115.97
                                            Aug 11, 2022 06:31:28.043061018 CEST4975780192.168.2.4104.18.115.97
                                            Aug 11, 2022 06:31:28.059881926 CEST8049757104.18.115.97192.168.2.4
                                            Aug 11, 2022 06:31:28.067483902 CEST8049757104.18.115.97192.168.2.4
                                            Aug 11, 2022 06:31:28.160531998 CEST4975780192.168.2.4104.18.115.97
                                            Aug 11, 2022 06:31:29.704567909 CEST4975780192.168.2.4104.18.115.97

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 11, 2022 06:31:27.635854006 CEST6209953192.168.2.48.8.8.8
                                            Aug 11, 2022 06:31:27.653176069 CEST53620998.8.8.8192.168.2.4
                                            Aug 11, 2022 06:31:27.965552092 CEST5377553192.168.2.48.8.8.8
                                            Aug 11, 2022 06:31:27.987278938 CEST53537758.8.8.8192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Aug 11, 2022 06:31:27.635854006 CEST192.168.2.48.8.8.80x74b5Standard query (0)46.138.7.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                            Aug 11, 2022 06:31:27.965552092 CEST192.168.2.48.8.8.80xb375Standard query (0)icanhazip.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Aug 11, 2022 06:31:27.653176069 CEST8.8.8.8192.168.2.40x74b5Name error (3)46.138.7.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                            Aug 11, 2022 06:31:27.987278938 CEST8.8.8.8192.168.2.40xb375No error (0)icanhazip.com104.18.115.97A (IP address)IN (0x0001)
                                            Aug 11, 2022 06:31:27.987278938 CEST8.8.8.8192.168.2.40xb375No error (0)icanhazip.com104.18.114.97A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • icanhazip.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.449757104.18.115.9780C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            TimestampkBytes transferredDirectionData
                                            Aug 11, 2022 06:31:28.043061018 CEST1022OUTGET / HTTP/1.1
                                            Host: icanhazip.com
                                            Connection: Keep-Alive
                                            Aug 11, 2022 06:31:28.067483902 CEST1023INHTTP/1.1 200 OK
                                            Date: Thu, 11 Aug 2022 04:31:28 GMT
                                            Content-Type: text/plain
                                            Content-Length: 14
                                            Connection: keep-alive
                                            Access-Control-Allow-Origin: *
                                            Access-Control-Allow-Methods: GET
                                            Set-Cookie: __cf_bm=Ey9b06GkUs3RvYus4mW9JMaXcGtQPk1nY.hCZFDJvks-1660192288-0-ATd2/GorYZ33ONvLo9CvyJg1+WCE9p13NRWeYbFnhablhqkRPrYfYCNh6YHAX3XQFFLxJFgRV8le0MmrRGHHRkc=; path=/; expires=Thu, 11-Aug-22 05:01:28 GMT; domain=.icanhazip.com; HttpOnly
                                            Server: cloudflare
                                            CF-RAY: 738e3de84d1768f2-FRA
                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                            Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 0a
                                            Data Ascii: 102.129.143.3


                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:06:31:05
                                            Start date:11/08/2022
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.18072.exe"
                                            Imagebase:0x340000
                                            File size:581632 bytes
                                            MD5 hash:62D82F1DFB55DDE5554C8B278A819AC9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.270730941.0000000003797000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                            Reputation:low

                                            General

                                            Target ID:4
                                            Start time:06:31:19
                                            Start date:11/08/2022
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):false
                                            Commandline:{path}
                                            Imagebase:0x420000
                                            File size:261728 bytes
                                            MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Target ID:5
                                            Start time:06:31:21
                                            Start date:11/08/2022
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0xe90000
                                            File size:261728 bytes
                                            MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Visual Basic
                                            Yara matches:
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.271797122.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high

                                            General

                                            Target ID:6
                                            Start time:06:31:24
                                            Start date:11/08/2022
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            Imagebase:0x1310000
                                            File size:98912 bytes
                                            MD5 hash:6807F903AC06FF7E1670181378690B22
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.278305735.00000000074F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.267975304.00000000012B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.278474507.000000000753B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high

                                            Disassembly

                                            No disassembly