Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.16858.8637

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetectNet.01.16858.8637 (renamed file extension from 8637 to exe)
Analysis ID:	682147
MD5:	dfe8f6d0b1fb5fb795f5596564ed5a60
SHA1:	0e94379e76c28d605fd35c65369626a823924000
SHA256:	342c1de5e06e65ef00a4d5c0c39e4157d5b54268f3324d6db17f76498b02a7c1
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AIDetectNet.01.16858.exe (PID: 5884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe" MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

SecuriteInfo.com.W32.AIDetectNet.01.16858.exe (PID: 5800 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

bgnFA.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe" MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

bgnFA.exe (PID: 5936 cmdline: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

bgnFA.exe (PID: 5312 cmdline: "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe" MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "mostafa@gpd-qatar.com", "Password": "Toy?C@R2v$4bKt", "Host": "mail.gpd-qatar.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x678c1:$a13: get_DnsResolver 0x9b6e1:$a13: get_DnsResolver 0xcf301:$a13: get_DnsResolver 0x6611e:$a20: get_LastAccessed 0x99f3e:$a20: get_LastAccessed 0xcdb5e:$a20: get_LastAccessed 0x68251:$a27: set_InternalServerPort 0x9c071:$a27: set_InternalServerPort 0xcfc91:$a27: set_InternalServerPort 0x6856e:$a30: set_GuidMasterKey 0x9c38e:$a30: set_GuidMasterKey 0xcffae:$a30: set_GuidMasterKey 0x66225:$a33: get_Clipboard 0x9a045:$a33: get_Clipboard 0xcdc65:$a33: get_Clipboard 0x66233:$a34: get_Keyboard 0x9a053:$a34: get_Keyboard 0xcdc73:$a34: get_Keyboard 0x674de:$a35: get_ShiftKeyDown 0x9b2fe:$a35: get_ShiftKeyDown 0xcef1e:$a35: get_ShiftKeyDown
00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f8b9:$a13: get_DnsResolver 0x2e116:$a20: get_LastAccessed 0x30249:$a27: set_InternalServerPort 0x30566:$a30: set_GuidMasterKey 0x2e21d:$a33: get_Clipboard 0x2e22b:$a34: get_Keyboard 0x2f4d6:$a35: get_ShiftKeyDown 0x2f4e7:$a36: get_AltKeyDown 0x2e238:$a37: get_Password 0x2ecac:$a38: get_PasswordHash 0x2fcc1:$a39: get_DefaultCredentials
0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xaf09:$a13: get_DnsResolver 0x99c0:$a20: get_LastAccessed 0xb84e:$a27: set_InternalServerPort 0xbab1:$a30: set_GuidMasterKey 0x9ab3:$a33: get_Clipboard 0x9ac1:$a34: get_Keyboard 0xabbf:$a35: get_ShiftKeyDown 0xabd0:$a36: get_AltKeyDown 0x9ace:$a37: get_Password 0xa49e:$a38: get_PasswordHash 0xb2e8:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1e67c:$a13: get_DnsResolver 0x1d133:$a20: get_LastAccessed 0x1efc1:$a27: set_InternalServerPort 0x1f224:$a30: set_GuidMasterKey 0x1d226:$a33: get_Clipboard 0x1d234:$a34: get_Keyboard 0x1e332:$a35: get_ShiftKeyDown 0x1e343:$a36: get_AltKeyDown 0x1d241:$a37: get_Password 0x1dc11:$a38: get_PasswordHash 0x1ea5b:$a39: get_DefaultCredentials
Process Memory Space: bgnFA.exe PID: 2508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bgnFA.exe PID: 5936	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bgnFA.exe PID: 5936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3059a:$s10: logins 0x2fff6:$s11: credential 0x2c61d:$g1: get_Clipboard 0x2c62b:$g2: get_Keyboard 0x2c638:$g3: get_Password 0x2d8c6:$g4: get_CtrlKeyDown 0x2d8d6:$g5: get_ShiftKeyDown 0x2d8e7:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2dcb9:$a13: get_DnsResolver 0x2c516:$a20: get_LastAccessed 0x2e649:$a27: set_InternalServerPort 0x2e966:$a30: set_GuidMasterKey 0x2c61d:$a33: get_Clipboard 0x2c62b:$a34: get_Keyboard 0x2d8d6:$a35: get_ShiftKeyDown 0x2d8e7:$a36: get_AltKeyDown 0x2c638:$a37: get_Password 0x2d0ac:$a38: get_PasswordHash 0x2e0c1:$a39: get_DefaultCredentials
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3239a:$s10: logins 0x31df6:$s11: credential 0x2e41d:$g1: get_Clipboard 0x2e42b:$g2: get_Keyboard 0x2e438:$g3: get_Password 0x2f6c6:$g4: get_CtrlKeyDown 0x2f6d6:$g5: get_ShiftKeyDown 0x2f6e7:$g6: get_AltKeyDown
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fab9:$a13: get_DnsResolver 0x2e316:$a20: get_LastAccessed 0x30449:$a27: set_InternalServerPort 0x30766:$a30: set_GuidMasterKey 0x2e41d:$a33: get_Clipboard 0x2e42b:$a34: get_Keyboard 0x2f6d6:$a35: get_ShiftKeyDown 0x2f6e7:$a36: get_AltKeyDown 0x2e438:$a37: get_Password 0x2eeac:$a38: get_PasswordHash 0x2fec1:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3059a:$s10: logins 0x2fff6:$s11: credential 0x2c61d:$g1: get_Clipboard 0x2c62b:$g2: get_Keyboard 0x2c638:$g3: get_Password 0x2d8c6:$g4: get_CtrlKeyDown 0x2d8d6:$g5: get_ShiftKeyDown 0x2d8e7:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2dcb9:$a13: get_DnsResolver 0x2c516:$a20: get_LastAccessed 0x2e649:$a27: set_InternalServerPort 0x2e966:$a30: set_GuidMasterKey 0x2c61d:$a33: get_Clipboard 0x2c62b:$a34: get_Keyboard 0x2d8d6:$a35: get_ShiftKeyDown 0x2d8e7:$a36: get_AltKeyDown 0x2c638:$a37: get_Password 0x2d0ac:$a38: get_PasswordHash 0x2e0c1:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3239a:$s10: logins 0x65fba:$s10: logins 0x31df6:$s11: credential 0x65a16:$s11: credential 0x2e41d:$g1: get_Clipboard 0x6203d:$g1: get_Clipboard 0x2e42b:$g2: get_Keyboard 0x6204b:$g2: get_Keyboard 0x2e438:$g3: get_Password 0x62058:$g3: get_Password 0x2f6c6:$g4: get_CtrlKeyDown 0x632e6:$g4: get_CtrlKeyDown 0x2f6d6:$g5: get_ShiftKeyDown 0x632f6:$g5: get_ShiftKeyDown 0x2f6e7:$g6: get_AltKeyDown 0x63307:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xa6ab7:$s1: file:/// 0x11a8d7:$s1: file:/// 0xa69c7:$s2: {11111-22222-10009-11112} 0x11a7e7:$s2: {11111-22222-10009-11112} 0xa6a47:$s3: {11111-22222-50001-00000} 0x11a867:$s3: {11111-22222-50001-00000} 0xa3d9b:$s4: get_Module 0x117bbb:$s4: get_Module 0x2e95c:$s5: Reverse 0x6257c:$s5: Reverse 0xa4214:$s5: Reverse 0x118034:$s5: Reverse 0x30808:$s6: BlockCopy 0x64428:$s6: BlockCopy 0xa6189:$s6: BlockCopy 0x119fa9:$s6: BlockCopy 0x2ebfd:$s7: ReadByte 0x6281d:$s7: ReadByte 0xa6ac9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x11a8e9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fab9:$a13: get_DnsResolver 0x636d9:$a13: get_DnsResolver 0x2e316:$a20: get_LastAccessed 0x61f36:$a20: get_LastAccessed 0x30449:$a27: set_InternalServerPort 0x64069:$a27: set_InternalServerPort 0x30766:$a30: set_GuidMasterKey 0x64386:$a30: set_GuidMasterKey 0x2e41d:$a33: get_Clipboard 0x6203d:$a33: get_Clipboard 0x2e42b:$a34: get_Keyboard 0x6204b:$a34: get_Keyboard 0x2f6d6:$a35: get_ShiftKeyDown 0x632f6:$a35: get_ShiftKeyDown 0x2f6e7:$a36: get_AltKeyDown 0x63307:$a36: get_AltKeyDown 0x2e438:$a37: get_Password 0x62058:$a37: get_Password 0x2eeac:$a38: get_PasswordHash 0x62acc:$a38: get_PasswordHash 0x2fec1:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3239a:$s10: logins 0x661ba:$s10: logins 0x99dda:$s10: logins 0x31df6:$s11: credential 0x65c16:$s11: credential 0x99836:$s11: credential 0x2e41d:$g1: get_Clipboard 0x6223d:$g1: get_Clipboard 0x95e5d:$g1: get_Clipboard 0x2e42b:$g2: get_Keyboard 0x6224b:$g2: get_Keyboard 0x95e6b:$g2: get_Keyboard 0x2e438:$g3: get_Password 0x62258:$g3: get_Password 0x95e78:$g3: get_Password 0x2f6c6:$g4: get_CtrlKeyDown 0x634e6:$g4: get_CtrlKeyDown 0x97106:$g4: get_CtrlKeyDown 0x2f6d6:$g5: get_ShiftKeyDown 0x634f6:$g5: get_ShiftKeyDown 0x97116:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xda8d7:$s1: file:/// 0x14e6f7:$s1: file:/// 0xda7e7:$s2: {11111-22222-10009-11112} 0x14e607:$s2: {11111-22222-10009-11112} 0xda867:$s3: {11111-22222-50001-00000} 0x14e687:$s3: {11111-22222-50001-00000} 0xd7bbb:$s4: get_Module 0x14b9db:$s4: get_Module 0x2e95c:$s5: Reverse 0x6277c:$s5: Reverse 0x9639c:$s5: Reverse 0xd8034:$s5: Reverse 0x14be54:$s5: Reverse 0x30808:$s6: BlockCopy 0x64628:$s6: BlockCopy 0x98248:$s6: BlockCopy 0xd9fa9:$s6: BlockCopy 0x14ddc9:$s6: BlockCopy 0x2ebfd:$s7: ReadByte 0x62a1d:$s7: ReadByte 0x9663d:$s7: ReadByte
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fab9:$a13: get_DnsResolver 0x638d9:$a13: get_DnsResolver 0x974f9:$a13: get_DnsResolver 0x2e316:$a20: get_LastAccessed 0x62136:$a20: get_LastAccessed 0x95d56:$a20: get_LastAccessed 0x30449:$a27: set_InternalServerPort 0x64269:$a27: set_InternalServerPort 0x97e89:$a27: set_InternalServerPort 0x30766:$a30: set_GuidMasterKey 0x64586:$a30: set_GuidMasterKey 0x981a6:$a30: set_GuidMasterKey 0x2e41d:$a33: get_Clipboard 0x6223d:$a33: get_Clipboard 0x95e5d:$a33: get_Clipboard 0x2e42b:$a34: get_Keyboard 0x6224b:$a34: get_Keyboard 0x95e6b:$a34: get_Keyboard 0x2f6d6:$a35: get_ShiftKeyDown 0x634f6:$a35: get_ShiftKeyDown 0x97116:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x697ba:$s10: logins 0x9d5da:$s10: logins 0xd11fa:$s10: logins 0x69216:$s11: credential 0x9d036:$s11: credential 0xd0c56:$s11: credential 0x6583d:$g1: get_Clipboard 0x9965d:$g1: get_Clipboard 0xcd27d:$g1: get_Clipboard 0x6584b:$g2: get_Keyboard 0x9966b:$g2: get_Keyboard 0xcd28b:$g2: get_Keyboard 0x65858:$g3: get_Password 0x99678:$g3: get_Password 0xcd298:$g3: get_Password 0x66ae6:$g4: get_CtrlKeyDown 0x9a906:$g4: get_CtrlKeyDown 0xce526:$g4: get_CtrlKeyDown 0x66af6:$g5: get_ShiftKeyDown 0x9a916:$g5: get_ShiftKeyDown 0xce536:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x111cf7:$s1: file:/// 0x185b17:$s1: file:/// 0x111c07:$s2: {11111-22222-10009-11112} 0x185a27:$s2: {11111-22222-10009-11112} 0x111c87:$s3: {11111-22222-50001-00000} 0x185aa7:$s3: {11111-22222-50001-00000} 0x10efdb:$s4: get_Module 0x182dfb:$s4: get_Module 0x65d7c:$s5: Reverse 0x99b9c:$s5: Reverse 0xcd7bc:$s5: Reverse 0x10f454:$s5: Reverse 0x183274:$s5: Reverse 0x67c28:$s6: BlockCopy 0x9ba48:$s6: BlockCopy 0xcf668:$s6: BlockCopy 0x1113c9:$s6: BlockCopy 0x1851e9:$s6: BlockCopy 0x6601d:$s7: ReadByte 0x99e3d:$s7: ReadByte 0xcda5d:$s7: ReadByte
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x66ed9:$a13: get_DnsResolver 0x9acf9:$a13: get_DnsResolver 0xce919:$a13: get_DnsResolver 0x65736:$a20: get_LastAccessed 0x99556:$a20: get_LastAccessed 0xcd176:$a20: get_LastAccessed 0x67869:$a27: set_InternalServerPort 0x9b689:$a27: set_InternalServerPort 0xcf2a9:$a27: set_InternalServerPort 0x67b86:$a30: set_GuidMasterKey 0x9b9a6:$a30: set_GuidMasterKey 0xcf5c6:$a30: set_GuidMasterKey 0x6583d:$a33: get_Clipboard 0x9965d:$a33: get_Clipboard 0xcd27d:$a33: get_Clipboard 0x6584b:$a34: get_Keyboard 0x9966b:$a34: get_Keyboard 0xcd28b:$a34: get_Keyboard 0x66af6:$a35: get_ShiftKeyDown 0x9a916:$a35: get_ShiftKeyDown 0xce536:$a35: get_ShiftKeyDown
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Virustotal: Detection: 17%

Perma Link

Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mostafa@gpd-qatar.com", "Password": "Toy?C@R2v$4bKt", "Host": "mail.gpd-qatar.com"}

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49767 -> 50.87.253.110:587

Source: global traffic

TCP traffic: 192.168.2.5:49767 -> 50.87.253.110:587

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DGTGmt.com
Source: bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698098173.0000000003121000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698171434.000000000312A000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697762371.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://LyFPshcnr7V.net
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628638098.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706267699.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628638098.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/QF:
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495839319.00000000067F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627609088.00000000067F8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627807287.0000000005F75000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.gpd-qatar.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, bgnFA.exe.6.dr	String found in binary or memory: http://philiphanson.org/medius/book/1.0
Source: bgnFA.exe.6.dr	String found in binary or memory: http://philiphanson.org/medius/temp-transform
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499067814.0000000005F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497043630.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com91(Z
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417045383.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417084076.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comc1nZ1
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comwit
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499067814.0000000005F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627417778.00000000067C3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497454262.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496857402.00000000067D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627511724.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497585491.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706267699.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.448367203.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.413853855.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.413853855.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn-
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499163953.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.676529704.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627511724.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comivu
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.414005981.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.414013214.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETOK
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown

DNS traffic detected: queries for: mail.gpd-qatar.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe			Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.447804176.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD323C4A9u002d3203u002d48AFu002dBCE9u002d20800F01B95Bu007d/u00346788441u002dC7C0u002d44BFu002dB790u002dF91B01BA75FB.cs

Large array initialization: .cctor: array initializer size 11464

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_012CC214	0_2_012CC214
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_012CEBA8	0_2_012CEBA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_012CEBB8	0_2_012CEBB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_05188640	0_2_05188640
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_05188610	0_2_05188610
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0281EFD8	6_2_0281EFD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0281F320	6_2_0281F320
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0281FBF0	6_2_0281FBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_028160A3	6_2_028160A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DDA18	6_2_061DDA18
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DC008	6_2_061DC008
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DD080	6_2_061DD080
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DF9D0	6_2_061DF9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DCF30	6_2_061DCF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D32A8	6_2_061D32A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D41E1	6_2_061D41E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C8764	6_2_063C8764
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C5060	6_2_063C5060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C0040	6_2_063C0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C1080	6_2_063C1080
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C2108	6_2_063C2108
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063CAC20	6_2_063CAC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C3C00	6_2_063C3C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C9A68	6_2_063C9A68
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C8C10	6_2_063C8C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063CAC10	6_2_063CAC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063CB910	6_2_063CB910
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06436E80	6_2_06436E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643047A	6_2_0643047A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06433078	6_2_06433078
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06435878	6_2_06435878
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643D978	6_2_0643D978
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643A1D8	6_2_0643A1D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06437328	6_2_06437328
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643A174	6_2_0643A174
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_064395F0	6_2_064395F0

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Virustotal: Detection: 17%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/4@2/2

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.810000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: bgnFA.exe.6.dr, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static file information: File size 1131008 > 1048576

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.810000.0.unpack, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: bgnFA.exe.6.dr, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D166A push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1662 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D169A push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16BA push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16B2 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16AA push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D26D8 pushfd ; iretd	6_2_061D26D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16DA push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16D2 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16CA push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16C2 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16FA push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16F2 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16EA push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16E2 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D171A push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1712 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D170A push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1702 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D173A push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1732 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D172A push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1722 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1742 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D179E push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1796 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D178E push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17BE push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17B6 push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17AE push es; ret	6_2_061D18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17A6 push es; ret	6_2_061D18C4

Source: initial sample	Static PE information: section name: .text entropy: 7.433620851852969
Source: initial sample	Static PE information: section name: .text entropy: 7.433620851852969

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bgnFA			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bgnFA			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File opened: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 2508, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe TID: 5892	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe TID: 3952	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe TID: 6076	Thread sleep count: 9539 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 4520	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 4596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 5296	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 4112	Thread sleep count: 9408 > 30	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Window / User API: threadDelayed 9539			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Window / User API: threadDelayed 9408			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628197268.0000000006888000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496499510.0000000006885000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF_
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628197268.0000000006888000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496499510.0000000006885000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.447149466.0000000008B60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nRQemu
Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Code function: 6_2_061DC4A0 LdrInitializeThunk,

6_2_061DC4A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Memory written: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 5936, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 5936, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 5936, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	111 Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	17%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://api.ipify.org%GETOK	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/lcr0#	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.defence.gov.au/pki0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://ca.mtin.es/mtin/ocsp0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://philiphanson.org/medius/temp-transform	0%	Avira URL Cloud	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://ca.mtin.es/mtin/DPCyPoliticas0	0%	URL Reputation	safe
http://www.carterandcone.como	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://LyFPshcnr7V.net	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.founder.com.cn/cn-	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://ocsp.ncdc.gov.sa0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.gpd-qatar.com	50.87.253.110	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org%GETOK	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627807287.0000000005F75000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.e-me.lv/repository0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.postsignum.cz/crl/psrootqca2.crl02	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497043630.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/lcr0#	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certeurope.fr/reference/root2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.defence.gov.au/pki0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrito	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.448367203.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sk.ee/cps/0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0=	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.anf.es	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pki.registradores.org/normativa/index.htm0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://policy.camerfirma.com0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssc.lt/cps03	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.mtin.es/mtin/ocsp0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.letsencrypt.org0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://philiphanson.org/medius/temp-transform	bgnFA.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.dnie.es/dpc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627511724.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.mtin.es/mtin/DPCyPoliticas0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.como	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acedicom.edicomgroup.com/doc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class3TS.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499067814.0000000005F79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://crl.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certeurope.fr/reference/pc-root2.pdf0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ac.economia.gob.mx/last.crl0G	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://LyFPshcnr7V.net	bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698098173.0000000003121000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698171434.000000000312A000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697762371.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.catcert.net/verarrel	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca0f	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn-	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.413853855.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-szigno.hu/RootCA.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sk.ee/juur/crl/0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eca.hinet.net/repository0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ssc.lt/root-a/cacrl.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.netlock.net/docs	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497585491.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706267699.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.ncdc.gov.sa0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497454262.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.253.110	mail.gpd-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682147
Start date and time:	2022-08-11 06:30:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.W32.AIDetectNet.01.16858.8637 (renamed file extension from 8637 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/4@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 76 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 209.197.3.8
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:31:25	API Interceptor	623x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe modified
06:31:39	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bgnFA C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
06:31:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bgnFA C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
06:32:03	API Interceptor	341x Sleep call for process: bgnFA.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
50.87.253.110	RFQ_512038573837.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.27397.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.18421.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.25422.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.gpd-qatar.com	RFQ_512038573837.exe	Get hash	malicious	Browse	50.87.253.110
	SecuriteInfo.com.W32.AIDetectNet.01.27397.exe	Get hash	malicious	Browse	50.87.253.110
	SecuriteInfo.com.W32.AIDetectNet.01.18421.exe	Get hash	malicious	Browse	50.87.253.110
	SecuriteInfo.com.W32.AIDetectNet.01.25422.exe	Get hash	malicious	Browse	50.87.253.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	Doc11245.htm	Get hash	malicious	Browse	162.240.215.126
	vBD1HySRYJ	Get hash	malicious	Browse	66.116.235.212
	HBL & MBL drafts.xlsx	Get hash	malicious	Browse	192.185.162.134
	ark.exe	Get hash	malicious	Browse	192.185.162.134
	Shipping Document. pdf.exe	Get hash	malicious	Browse	162.241.24.224
	kMrqa6xL3u	Get hash	malicious	Browse	76.162.184.144
	TT COPY.exe	Get hash	malicious	Browse	162.241.217.198
	http://3vnw3unw.vddelbkc.theneighborhoodsite.com/afranco@drinkbodyarmor.com	Get hash	malicious	Browse	162.241.114.244
	http://3vnw3unw.vddelbkc.theneighborhoodsite.com	Get hash	malicious	Browse	162.241.114.244
	Past Due Inv_#.xlsx	Get hash	malicious	Browse	69.49.234.191
	Past Due Inv_#.xlsx	Get hash	malicious	Browse	69.49.234.191
	WCI Supply - Statement 09.08.2022.xlsx	Get hash	malicious	Browse	162.240.23.83
	SecuriteInfo.com.Gen.Variant.Nemesis.9768.12528.exe	Get hash	malicious	Browse	50.87.145.7
	https://osrahcm.telenoc.org/write/	Get hash	malicious	Browse	108.167.152.103
	e2rbgORMRq.exe	Get hash	malicious	Browse	192.254.211.36
	qCArmvz2mn.exe	Get hash	malicious	Browse	192.185.224.36
	VbpkFO7qBC.exe	Get hash	malicious	Browse	192.185.162.134
	order # 510266.xlsx	Get hash	malicious	Browse	192.185.174.178
	Request Quotation.exe	Get hash	malicious	Browse	162.241.148.128
	Overexcitable.exe	Get hash	malicious	Browse	192.185.41.210

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bgnFA.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1131008
Entropy (8bit):	7.058493037232615
Encrypted:	false
SSDEEP:	24576:AAi4vwHmQl/HrwmpStXqDrbWtOJqyp9hgi:ANHrw7aCOJJ
MD5:	DFE8F6D0B1FB5FB795F5596564ED5A60
SHA1:	0E94379E76C28D605FD35C65369626A823924000
SHA-256:	342C1DE5E06E65EF00A4D5C0C39E4157D5B54268F3324D6DB17F76498B02A7C1
SHA-512:	4C188F028F2FE1D73E009B754C670CE6267FAB4CDBA288E75E544D8FA153F6A1AB1BC363BE69F5D7E713D672CC737CD2D69B67793E89C248352B4EBB7BB9CE8D
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 17%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.b..............0......:......V$... ...@....@.. ....................................@..................................$..O....@...7........................................................................... ............... ..H............text...\.... ...................... ..`.rsrc....7...@...8..................@..@.reloc...............@..............@..B................8$......H...........L.......j....l.. ............................................0............{....o.....+..f..{.....,..+.~ ...o!....&...}........0..j........s"......{....o#...o$....+(.o%...t......o&.....,...o'...u....o(.....o)...-....u........,...o........+.............4M........s"...}......}.....(+......(.......0..s.........{...........s,...o-......{....o.....+0..(/......o....s0......o1.....{....o#....o2...&...(3...-...........o............&.=c.......0..+.........,..{......

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.058493037232615
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File size:	1131008
MD5:	dfe8f6d0b1fb5fb795f5596564ed5a60
SHA1:	0e94379e76c28d605fd35c65369626a823924000
SHA256:	342c1de5e06e65ef00a4d5c0c39e4157d5b54268f3324d6db17f76498b02a7c1
SHA512:	4c188f028f2fe1d73e009b754c670ce6267fab4cdba288e75e544d8fa153f6a1ab1bc363be69f5d7e713d672cc737cd2d69b67793e89c248352b4ebb7bb9ce8d
SSDEEP:	24576:AAi4vwHmQl/HrwmpStXqDrbWtOJqyp9hgi:ANHrw7aCOJJ
TLSH:	D2359DDEEA48C85ADD154B30E83948F05767BDA5F435D85F285BBC21BA7338E212AD03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.b..............0......:......V$... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0f3135466416514c

Static PE Info

General

Entrypoint:	0x4e2456
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F46281 [Thu Aug 11 01:59:29 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe2404	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe4000	0x337a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe045c	0xe0600	False	0.6771903290389972	data	7.433620851852969	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe4000	0x337a4	0x33800	False	0.1639961316747573	data	4.093478798314193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe4160	0x33090	data
RT_GROUP_ICON	0x1171f0	0x14	data
RT_GROUP_ICON	0x117204	0x14	data
RT_VERSION	0x117218	0x3a0	data
RT_MANIFEST	0x1175b8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:31:52.393898010 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:52.564441919 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:52.565962076 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:52.872816086 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:52.873655081 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.044276953 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.044578075 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.216497898 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.341092110 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.518033028 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518070936 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518093109 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518110037 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518186092 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.518229961 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.520034075 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.581407070 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.752665043 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.959604025 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.128820896 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.299420118 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.304728031 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.475887060 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.476553917 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.687643051 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.783134937 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.785454988 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.955754042 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.959969044 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.960346937 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.132647038 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.135360003 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.305826902 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.306900978 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.307035923 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.307812929 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.307898998 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.477329016 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.477361917 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.478331089 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.478370905 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.479069948 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.647525072 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:38.429254055 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:38.599436998 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:38.599688053 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:38.903387070 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:38.903830051 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.074331999 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.074683905 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.246436119 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.266998053 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.446536064 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446569920 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446587086 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446599960 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446610928 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446913004 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.455908060 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.626528025 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.689002991 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.859565973 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.860413074 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.031085968 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.031702995 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.242882013 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.338757038 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.339184999 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.509526968 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.509551048 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.509987116 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.682395935 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.682790995 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.853790998 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.854865074 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.854993105 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.855067015 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.855168104 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:41.026067019 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:41.026170969 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:41.027707100 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:41.161303997 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:33:32.128531933 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:33:32.339531898 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:33:32.771600962 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:33:32.772248030 CEST	49767	587	192.168.2.5	50.87.253.110

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:31:52.169194937 CEST	59661	53	192.168.2.5	8.8.8.8
Aug 11, 2022 06:31:52.350989103 CEST	53	59661	8.8.8.8	192.168.2.5
Aug 11, 2022 06:32:38.382360935 CEST	62525	53	192.168.2.5	8.8.8.8
Aug 11, 2022 06:32:38.401916981 CEST	53	62525	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 11, 2022 06:31:52.169194937 CEST	192.168.2.5	8.8.8.8	0x100e	Standard query (0)	mail.gpd-qatar.com	A (IP address)	IN (0x0001)
Aug 11, 2022 06:32:38.382360935 CEST	192.168.2.5	8.8.8.8	0xf46	Standard query (0)	mail.gpd-qatar.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 11, 2022 06:31:52.350989103 CEST	8.8.8.8	192.168.2.5	0x100e	No error (0)	mail.gpd-qatar.com		50.87.253.110	A (IP address)	IN (0x0001)
Aug 11, 2022 06:32:38.401916981 CEST	8.8.8.8	192.168.2.5	0xf46	No error (0)	mail.gpd-qatar.com		50.87.253.110	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 11, 2022 06:31:52.872816086 CEST	587	49767	50.87.253.110	192.168.2.5	220-box2181.bluehost.com ESMTP Exim 4.95 #2 Wed, 10 Aug 2022 22:31:52 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 11, 2022 06:31:52.873655081 CEST	49767	587	192.168.2.5	50.87.253.110	EHLO 320946
Aug 11, 2022 06:31:53.044276953 CEST	587	49767	50.87.253.110	192.168.2.5	250-box2181.bluehost.com Hello 320946 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 11, 2022 06:31:53.044578075 CEST	49767	587	192.168.2.5	50.87.253.110	STARTTLS
Aug 11, 2022 06:31:53.216497898 CEST	587	49767	50.87.253.110	192.168.2.5	220 TLS go ahead
Aug 11, 2022 06:32:38.903387070 CEST	587	49856	50.87.253.110	192.168.2.5	220-box2181.bluehost.com ESMTP Exim 4.95 #2 Wed, 10 Aug 2022 22:32:38 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 11, 2022 06:32:38.903830051 CEST	49856	587	192.168.2.5	50.87.253.110	EHLO 320946
Aug 11, 2022 06:32:39.074331999 CEST	587	49856	50.87.253.110	192.168.2.5	250-box2181.bluehost.com Hello 320946 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 11, 2022 06:32:39.074683905 CEST	49856	587	192.168.2.5	50.87.253.110	STARTTLS
Aug 11, 2022 06:32:39.246436119 CEST	587	49856	50.87.253.110	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	06:31:13
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe"
Imagebase:	0x810000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	06:31:27
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Imagebase:	0x4f0000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	06:31:47
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Imagebase:	0xd60000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 17%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	06:31:58
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Imagebase:	0x9b0000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	06:32:10
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Imagebase:	0x9f0000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	189
Total number of Limit Nodes:	12

Executed Functions

Function 05188640 Relevance: 41.9, Strings: 30, Instructions: 4369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%ql, xrefs: 0518ABD6
$%ql, xrefs: 0518A3DB
$%ql, xrefs: 0518C9D6
$%ql, xrefs: 0518CD05
$%ql, xrefs: 0518AE52
$%ql, xrefs: 05189B5D
$%ql, xrefs: 051896F5
$%ql, xrefs: 0518C1C4
$%ql, xrefs: 05189F08
$%ql, xrefs: 05189C31
$%ql, xrefs: 0518ACAA
$%ql, xrefs: 0518C01C
$%ql, xrefs: 0518C3D8
$%ql, xrefs: 0518D009
$%ql, xrefs: 0518C603
$%ql, xrefs: 0518A64C
$%ql, xrefs: 0518999C
$%ql, xrefs: 0518C7C2
$%ql, xrefs: 0518A720
$%ql, xrefs: 051898C8
$%ql, xrefs: 05189A70
$%ql, xrefs: 0518BBE3
$%ql, xrefs: 0518953E
$%ql, xrefs: 0518AF3F
$%ql, xrefs: 0518CDD9
$%ql, xrefs: 0518A00C
$%ql, xrefs: 05189D05
$%ql, xrefs: 0518A233
$%ql, xrefs: 0518A307
$%ql, xrefs: 0518AD7E

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql
API String ID: 0-896137311
Opcode ID: e52924d50e919c90dbfab2490009cdb05757eec262154e0b8200deed33f5ef7b
Instruction ID: 6e80ad28b4d1159a6a37b99cebc1fd48425c933a2c22d79876c4f2d7d5380420
Opcode Fuzzy Hash: e52924d50e919c90dbfab2490009cdb05757eec262154e0b8200deed33f5ef7b
Instruction Fuzzy Hash: BFA3C634A00659CFC768EF24C894AAAB7B2FF89305F5145E9D54DAB361DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05188610 Relevance: 41.9, Strings: 30, Instructions: 4366COMMON

Download Yara Rule

Strings

$%ql, xrefs: 0518ABD6
$%ql, xrefs: 0518A3DB
$%ql, xrefs: 0518C9D6
$%ql, xrefs: 0518CD05
$%ql, xrefs: 0518AE52
$%ql, xrefs: 05189B5D
$%ql, xrefs: 051896F5
$%ql, xrefs: 0518C1C4
$%ql, xrefs: 05189F08
$%ql, xrefs: 05189C31
$%ql, xrefs: 0518ACAA
$%ql, xrefs: 0518C01C
$%ql, xrefs: 0518C3D8
$%ql, xrefs: 0518D009
$%ql, xrefs: 0518C603
$%ql, xrefs: 0518A64C
$%ql, xrefs: 0518999C
$%ql, xrefs: 0518C7C2
$%ql, xrefs: 0518A720
$%ql, xrefs: 051898C8
$%ql, xrefs: 05189A70
$%ql, xrefs: 0518BBE3
$%ql, xrefs: 0518953E
$%ql, xrefs: 0518AF3F
$%ql, xrefs: 0518CDD9
$%ql, xrefs: 0518A00C
$%ql, xrefs: 05189D05
$%ql, xrefs: 0518A233
$%ql, xrefs: 0518A307
$%ql, xrefs: 0518AD7E

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql$$%ql
API String ID: 0-896137311
Opcode ID: b9c371883b909102a82db09cb2e3c8084dd2595246346b142611cabdef04924c
Instruction ID: 3cc466fcb0855a96ea2d6b1264738780614cac873a15b788584d3e235192c341
Opcode Fuzzy Hash: b9c371883b909102a82db09cb2e3c8084dd2595246346b142611cabdef04924c
Instruction Fuzzy Hash: EAA3C634A00659CFC764EF24C894AAAB7B2FF89301F5146E9D54DAB361DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 012CBCC3 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012CBD30
GetCurrentThread.KERNEL32 ref: 012CBD6D
GetCurrentProcess.KERNEL32 ref: 012CBDAA
GetCurrentThreadId.KERNEL32 ref: 012CBE03

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 26ff5de35cd5fde573f254af4e3b4113af65c63ff1580e8fec6b9046a44fbaac
Instruction ID: 7d804f53648dde1d799966d0ca576aff6aa898b64c905dd7dcaf18f478e53782
Opcode Fuzzy Hash: 26ff5de35cd5fde573f254af4e3b4113af65c63ff1580e8fec6b9046a44fbaac
Instruction Fuzzy Hash: E45156B49046498FDB14CFA9C6487DEBBF1BF49314F248A9EE509A7290C7345844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 012CBCD0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012CBD30
GetCurrentThread.KERNEL32 ref: 012CBD6D
GetCurrentProcess.KERNEL32 ref: 012CBDAA
GetCurrentThreadId.KERNEL32 ref: 012CBE03

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bb3d6b7698c7183441e75d038e50aa2f712a4353624340802b6d1f1dc5b3a236
Instruction ID: 8d8c847047cd655494fd6096916058bc13e316b7866df02e529f6a22271b5212
Opcode Fuzzy Hash: bb3d6b7698c7183441e75d038e50aa2f712a4353624340802b6d1f1dc5b3a236
Instruction Fuzzy Hash: 1D5146B49006498FDB14CFA9D548BDEBBF1BF49314F20865DE509A7390DB345844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 051803F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0518050A

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fae179a904b62b20d3f3ea7ff64c474cdf276036d057e56db9c156930d32a1e4
Instruction ID: c22661ad5c0967610b4a4cffb6880844224b35e34838c5c4ec4deda48986453f
Opcode Fuzzy Hash: fae179a904b62b20d3f3ea7ff64c474cdf276036d057e56db9c156930d32a1e4
Instruction Fuzzy Hash: 2B41B1B1D0030DDFDB14DF99C984ADEBBB5BF48314F24822AE419AB210D7759989CF91

Uniqueness

Uniqueness Score: -1.00%

Function 051803EF Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0518050A

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c328ab0e276041bb6383d24de5f960f22518cfa4816ca4652f4b721f9521c0db
Instruction ID: ee5466b048c688c0ea7a4c0f9d98e9cfd968794de0fdcf7524363e81f278de73
Opcode Fuzzy Hash: c328ab0e276041bb6383d24de5f960f22518cfa4816ca4652f4b721f9521c0db
Instruction Fuzzy Hash: 3C51C1B1D04309DFDF14DFA9C984ADDBBB5BF48310F25822AE419AB210D7749989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012C3EA0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012C5421

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e07d93fdddb9bd32a29a3fc4265cf4c9787af6a67320a36d648de8c6b76824ea
Instruction ID: 77e1a21ca25c576f0270b0edbdb4311b951b89f58780c6d5e89d720e3b34ebcf
Opcode Fuzzy Hash: e07d93fdddb9bd32a29a3fc4265cf4c9787af6a67320a36d648de8c6b76824ea
Instruction Fuzzy Hash: CC41E4B1D0461DCBDB24DFA9C84478EFBB5FF88704F208169D509AB250DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 051829B0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05182A71

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: cb48243c5442d4ed962d83ed1a69eaf56f7665343fea1a21075c163f848a3f78
Instruction ID: 64f7701bef8e83aa9d568c10391b5c65f39a7bdcfb61f39f263353d0dd5408af
Opcode Fuzzy Hash: cb48243c5442d4ed962d83ed1a69eaf56f7665343fea1a21075c163f848a3f78
Instruction Fuzzy Hash: 2F4149B8A00209CFCB24DF89C488BAABBF5FF88314F158599D519A7321D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 012C536B Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012C5421

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 38bc7e0fa2fea938ad0ae76e45b31f9e650bd3409f54c7f4fc34320f8ead2844
Instruction ID: 55233e929863700577952bdd6e4f7feafa866496bc8f03a6939cf13ad9d10adc
Opcode Fuzzy Hash: 38bc7e0fa2fea938ad0ae76e45b31f9e650bd3409f54c7f4fc34320f8ead2844
Instruction Fuzzy Hash: B141E471D04619CFDB24CFA9C8447CDBBB5FF89708F208169D508AB251DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 012CC2F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CC387

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9abc53e1eabc49ef35b7bf3df612ca14ba0f3200fdcfa6959ce6221b8db09112
Instruction ID: 5d067a202360335fcfde1facdc6fb609adbe00b5b9f20075f2391c67b3546a62
Opcode Fuzzy Hash: 9abc53e1eabc49ef35b7bf3df612ca14ba0f3200fdcfa6959ce6221b8db09112
Instruction Fuzzy Hash: 1B21E3B5900209DFDB00CFA9D984ADEBBF4FF48320F15851AE918A3350D378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 012CC300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CC387

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d37d6254d26cc7e13860e45714968d772f5cc24ff4f0f6e41d68345cb19c39d5
Instruction ID: 3f8aa2801a42bba7c00f60c764aecedbe43bac69ef97c368bb34f3fbd46718a9
Opcode Fuzzy Hash: d37d6254d26cc7e13860e45714968d772f5cc24ff4f0f6e41d68345cb19c39d5
Instruction Fuzzy Hash: 6321D3B5900259DFDB10CFAAD984ADEFBF8FB48324F14851AE918A3350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012C8D50 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012C9CA9,00000800,00000000,00000000), ref: 012C9EBA

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9575207ad7b956e49984d52d47b9396cc397f30d0af90aa8ba78742ff84d9fe7
Instruction ID: 5b6c3f56b903fae8010f74f668f328cb8392e8df801205ab80121ebd7cab049f
Opcode Fuzzy Hash: 9575207ad7b956e49984d52d47b9396cc397f30d0af90aa8ba78742ff84d9fe7
Instruction Fuzzy Hash: F91114B29042098FDB10CF9AC444BDEFBF4EB98724F04852EE615B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012C9E49 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012C9CA9,00000800,00000000,00000000), ref: 012C9EBA

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4f8ae71635211c413c5cd5fcce62041ddb74e57afadfde7b583b6f0925d9f770
Instruction ID: fe6a8f89549e81419ed6deb981cf9cc8c69a8ff1a02aace552c1acd794b3658c
Opcode Fuzzy Hash: 4f8ae71635211c413c5cd5fcce62041ddb74e57afadfde7b583b6f0925d9f770
Instruction Fuzzy Hash: EE2144B2C002098FDB10CFAAC484ADEFBF4EB98324F14862ED515A7240C374A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012C9BC8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012C9C2E

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d767f1788d67dbec35f0457e8322b7162a50ecc96bc8a30a2555a194bc7f93b9
Instruction ID: 7fb9f6c4af47aed8a4ae31aaf6efea69b1d8a598aa3d8a82a148dcb28b5d7deb
Opcode Fuzzy Hash: d767f1788d67dbec35f0457e8322b7162a50ecc96bc8a30a2555a194bc7f93b9
Instruction Fuzzy Hash: 311110B2C006498FDB10CF9AC444BDEFBF4AB88324F10851AD919A7200C378A685CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05180638 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0518069D

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f4d1bb1787a919c5dfc437ec5596e17d28fabf1373578cb39b77e875aee2b21a
Instruction ID: 2cc3c5a510e547714d6b49c95d59027f594ba0c90e6e36dce2179b2bfdcfa536
Opcode Fuzzy Hash: f4d1bb1787a919c5dfc437ec5596e17d28fabf1373578cb39b77e875aee2b21a
Instruction Fuzzy Hash: B911F2B58006498FDB20DF99D589BDEBBF8FB48320F24854AD955A7740C378A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05180640 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0518069D

Memory Dump Source

Source File: 00000000.00000002.452606678.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9b1a7da30ede3264bf8924a3e005944227d23c752c5dcda488c414501c0d8d0b
Instruction ID: c7ed5b0c82d5ac2611ef9f3db8fa728fb06f00d693dea7ab3d1dae57cc5b125f
Opcode Fuzzy Hash: 9b1a7da30ede3264bf8924a3e005944227d23c752c5dcda488c414501c0d8d0b
Instruction Fuzzy Hash: 251112B58002098FDB20DF9AD589BDEBBF8FB88320F20851AD915A3340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012CEBB8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7b1ec65b0b442d4438fabb9b9a72cce0be1583c06601c4a50ee91b5300ee41
Instruction ID: 168dff6434943a97be618cd6d63a213396a62b2988ef36035e44e087dc387a67
Opcode Fuzzy Hash: 8f7b1ec65b0b442d4438fabb9b9a72cce0be1583c06601c4a50ee91b5300ee41
Instruction Fuzzy Hash: 7A12C5F1C91B468BD3B4CF65E9882893BA1B7453A8BD14A08D3711BAD1D7B4117ECF48

Uniqueness

Uniqueness Score: -1.00%

Function 012CC214 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba507423393261737083abf09444af2221c46b43895973c37456b7b4a41ff6b6
Instruction ID: ca06c166630533bcdae03f5096a07c84c943a52e38d22dc8ccd5444e3609ef9e
Opcode Fuzzy Hash: ba507423393261737083abf09444af2221c46b43895973c37456b7b4a41ff6b6
Instruction Fuzzy Hash: 1DA16032E1061A8FCF15DFB5C8445EDBBB3FF88700B15866AEA05AB261DB31A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012CEBA8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.448286064.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817cd73842af8bb9c3446d595a96f2fbc06450fef8f1a98090ee412e63b49467
Instruction ID: 8df9d3919873e783b70a308083c2eea263edd49a930ed73f429e993a45a6b1fc
Opcode Fuzzy Hash: 817cd73842af8bb9c3446d595a96f2fbc06450fef8f1a98090ee412e63b49467
Instruction Fuzzy Hash: E6C13DF1C91B468BD3A4CF65E8881897B71BB853A8FD14B08D3616BAD1D7B4107ACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.W32.AIDetectNet.01.16858.exePID: 5800, Parent PID: 5884COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.4%
Total number of Nodes:	354
Total number of Limit Nodes:	35

Executed Functions

Function 06435878 Relevance: 6.2, Strings: 4, Instructions: 1193COMMON

Download Yara Rule

Strings

Xcul, xrefs: 0643686C
Xcul, xrefs: 06436876
D0ul, xrefs: 06435FF3
D0ul, xrefs: 06435D53

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: D0ul$D0ul$Xcul$Xcul
API String ID: 0-3458015263
Opcode ID: d74f3ce3bd05a1d82d5259156df7997710d9b223ac4ecac8ede3504bff308103
Instruction ID: ae064ea180aa1b2144065e7b8f2c2391ca38a46759c298925fe9fc6d297b1cc5
Opcode Fuzzy Hash: d74f3ce3bd05a1d82d5259156df7997710d9b223ac4ecac8ede3504bff308103
Instruction Fuzzy Hash: 48921574F042259FCB55DB78C854BAEBBB2AF89354F16846AE506DB3C1CB30DC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 0643A1D8 Relevance: 3.8, Strings: 2, Instructions: 1338COMMON

Download Yara Rule

Strings

8^ul, xrefs: 0643A2A7
xpl, xrefs: 0643AFCC

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8^ul$xpl
API String ID: 0-4129831687
Opcode ID: 2a000f925905428d2d1d8e6e6bfa70399c3da1ded39ef80ea711ef6eed79d0e9
Instruction ID: 2fc8364c95984938f2c2068702fc99c464cbbfa8a01fa5f71a5d6f4cc9d14232
Opcode Fuzzy Hash: 2a000f925905428d2d1d8e6e6bfa70399c3da1ded39ef80ea711ef6eed79d0e9
Instruction Fuzzy Hash: EEB2D370F442188FEB65DB68C5947AEBBA2EF89304F14806AE446DF392DB35DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06436E80 Relevance: 3.3, Strings: 1, Instructions: 2099COMMON

Download Yara Rule

Strings

D!ql, xrefs: 06437483

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: D!ql
API String ID: 0-2124241253
Opcode ID: 9795f1ea9b3d74ae97740076dce7fb45d00cf683e7236e40160e568b7b74ed03
Instruction ID: 2b031ed0f04fd1a91c379962eb83aea4bb4a3fd9d8234d2347395a7447882e4c
Opcode Fuzzy Hash: 9795f1ea9b3d74ae97740076dce7fb45d00cf683e7236e40160e568b7b74ed03
Instruction Fuzzy Hash: 77232B71D106198FCB54EF68C884A9DF7B1FF89300F11C69AE459AB261EB30AAC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0643047A Relevance: 2.8, Instructions: 2818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc51d8de12a0361036e47b5367045a703c8da6255f98248b0e62646dda31ff0
Instruction ID: ba5fc609ce03678fa91fde7022da14d3c0ad4c0e45b08d4532ca5370f7a553ea
Opcode Fuzzy Hash: edc51d8de12a0361036e47b5367045a703c8da6255f98248b0e62646dda31ff0
Instruction Fuzzy Hash: 0E53F930D10B598ECB51EF68C884A99F7B1FF99300F15D69AE45877221EB70AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 063C5060 Relevance: 2.3, APIs: 1, Instructions: 760
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 063C57E8

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f90ed11df796659031f13cbd2e632e4a6d3609d0730c32ff7cf170457a8f9646
Instruction ID: 5648b6d9ba6882ea46aa86124ac30fb9194cf598906931f0c5da259d5097ddf4
Opcode Fuzzy Hash: f90ed11df796659031f13cbd2e632e4a6d3609d0730c32ff7cf170457a8f9646
Instruction Fuzzy Hash: F8624A75E006188FCB64EF78C95469DB7F1AF89310F1089A9D54AAB750EF30AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0643D978 Relevance: 2.1, Strings: 1, Instructions: 828COMMON

Download Yara Rule

Strings

\pl, xrefs: 0643E1AA

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \pl
API String ID: 0-2208718379
Opcode ID: aafbc410e8cbf5589dcd7a48a614f82e1c7db96ee36aec623c68e9f819ff9b6c
Instruction ID: 0c728637217a8e6d49b08373b253a8d24baa79b084c5a99c08b71ba0c6b88698
Opcode Fuzzy Hash: aafbc410e8cbf5589dcd7a48a614f82e1c7db96ee36aec623c68e9f819ff9b6c
Instruction Fuzzy Hash: F752C271F042148FDB65DBA8C985BAEBBB2EF89310F14842AE115DB791DB30DC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 061DC4A0 Relevance: 2.0, APIs: 1, Instructions: 513
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 061DC9B7

Memory Dump Source

Source File: 00000006.00000002.706969907.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61d0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bf63f8d06ac8ffda09d5d9d8c9589a1e5d03199b704a127b76e6029e9c6d2cca
Instruction ID: ce62aa4eb5d2c72b6bad19f557adda5ad979dec90e96dd9e174770661103d2c6
Opcode Fuzzy Hash: bf63f8d06ac8ffda09d5d9d8c9589a1e5d03199b704a127b76e6029e9c6d2cca
Instruction Fuzzy Hash: C412B274E102059FDF60DBA8C494BAEBBB6EF85304F148D6AE445DB381DB34D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0643A174 Relevance: 1.9, Strings: 1, Instructions: 631COMMON

Download Yara Rule

Strings

8^ul, xrefs: 0643A2A7

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8^ul
API String ID: 0-1689627688
Opcode ID: 9162a43bbbfa10698fa35d63516064aa7ecbecd7333c78ec70de2c355f9f3db5
Instruction ID: 5e9e1fbac078df7e0bd5b358149ef69a812d16834df0a4e270d0293f15344a34
Opcode Fuzzy Hash: 9162a43bbbfa10698fa35d63516064aa7ecbecd7333c78ec70de2c355f9f3db5
Instruction Fuzzy Hash: 0432F670E042188FDB65DBA8C59479EB7E2EF89300F14C06AD44AAF396DB35DC85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06433078 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb6aba78a9cd9e92e610d31ac6d9aea983a414ba9b8358745ed0b504287a7aa
Instruction ID: 4db0f53bd084714a67f03d3edcd04aa4741c31db401c9c4a055cc0b7a1e19f3b
Opcode Fuzzy Hash: 7fb6aba78a9cd9e92e610d31ac6d9aea983a414ba9b8358745ed0b504287a7aa
Instruction Fuzzy Hash: D1D10831F041A44BDB578F69C8843AEBBB1EF89320F18856BD456DB791C632D885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 063CB559 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 063CB60D

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 58117a11ef0d888d79d0755ecb75a0189e3fcb85742f3a21b2aa0a2683cfda02
Instruction ID: 310b957f02a461417d9e56132a2c32bbc875f054ad32c4c5ccae13a689901efc
Opcode Fuzzy Hash: 58117a11ef0d888d79d0755ecb75a0189e3fcb85742f3a21b2aa0a2683cfda02
Instruction Fuzzy Hash: 3C6123B2D002499FDF05CFA9D884ADDBFB2FF48310F14816AE919AB221C7759955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 063C3017 Relevance: 2.0, APIs: 1, Instructions: 545
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 063C35B9

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1cfaaa0f258901121b033fec33fed2f73b2ec1e798f5e62af4e2888b1adaa94
Instruction ID: 4edef0d302edd9ca8b8a524a7acbfdd11d3ec46bce2897846e2464410fff5092
Opcode Fuzzy Hash: d1cfaaa0f258901121b033fec33fed2f73b2ec1e798f5e62af4e2888b1adaa94
Instruction Fuzzy Hash: F8126135B5E3819FE787977888286553FB29F47214F1AC4E6D148CF2A3DA25CC0E8762

Uniqueness

Uniqueness Score: -1.00%

Function 063C3578 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 063C35B9

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8483a0404b6b8e3512088f5f61f8eb30dbbae160b124870ee9d23e7501e0ebb
Instruction ID: 92b2ed180fc6cb9317d91e259fd7529f08f10136cd861baccd91dce7740048fa
Opcode Fuzzy Hash: e8483a0404b6b8e3512088f5f61f8eb30dbbae160b124870ee9d23e7501e0ebb
Instruction Fuzzy Hash: 05612B75E11219DFEB54EBB4D858BAEBBB6AF84314F108828E402E7390DF359D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 063C8830 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082f19842ba6294adbd14afae79ba55a442fb3c3c178857bacae8c8a2ca14871
Instruction ID: 49a6f2c3fbc454afbe8be435a7bd64c9ad0d603fb8a0f419fcd571d1a4707c7b
Opcode Fuzzy Hash: 082f19842ba6294adbd14afae79ba55a442fb3c3c178857bacae8c8a2ca14871
Instruction Fuzzy Hash: 96412572E043598FCB04DF79C8446DEFBB1EF89220F08856AE514A7680DB349949CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 063C1CF0 Relevance: 1.6, APIs: 1, Instructions: 121
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 063C1E09

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: baa32e37ec20b028273e830cbae7bce7f4390a5bc88568b5eb701bf83869c06b
Instruction ID: ca12e4174d4ae3545555de6e38e3c299571f3f9f1814d2025b3a7a931b31f6cd
Opcode Fuzzy Hash: baa32e37ec20b028273e830cbae7bce7f4390a5bc88568b5eb701bf83869c06b
Instruction Fuzzy Hash: E94126B1D04298DFCB11CFA9C894ADEBFF5AF49310F54846AE858AB341D774990ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 063C1639 Relevance: 1.6, APIs: 1, Instructions: 117
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 063C174C

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9ca25cfb3f5dad8d6d123598c9b7fe6c429e78190a574c0d4d222068d143974c
Instruction ID: 4ecdd086cbf4d87b0cf237d705f05ce5b05f82f8b911628dfbd39db24a26d9d7
Opcode Fuzzy Hash: 9ca25cfb3f5dad8d6d123598c9b7fe6c429e78190a574c0d4d222068d143974c
Instruction Fuzzy Hash: 7B416BB1D052498FDB00CFA8C54469EFFF5AF49314F19C56AE448AB342C7749849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063C8714 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063CB722

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 79e235ee38e9f191f5060d1850505ac57d042e78f3368b3ed3531ebf3d95c549
Instruction ID: 414d7bb11b4b0ac797386c3a2729832cd72e641b071f0847085b4cb5f9feeddf
Opcode Fuzzy Hash: 79e235ee38e9f191f5060d1850505ac57d042e78f3368b3ed3531ebf3d95c549
Instruction Fuzzy Hash: 0351BDB1D10309AFDB14CF99C984ADEFBB5BF48310F24812AE919AB210D7759855CF94

Uniqueness

Uniqueness Score: -1.00%

Function 063CCE94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 063CE471

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7cca3bbe9fb0ab782aa8cb4dca9cdf86f5d4143652123c01c36a9a3179d7b242
Instruction ID: ab85e0c7313bdf141ba8df789387dc2ff888626a60e3cd13732336fd7a96a613
Opcode Fuzzy Hash: 7cca3bbe9fb0ab782aa8cb4dca9cdf86f5d4143652123c01c36a9a3179d7b242
Instruction Fuzzy Hash: 434158B5A00205CFDB50CF99C888AAABBF5FF88324F15845DE519AB361D774A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0281C844 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0281C91A

Memory Dump Source

Source File: 00000006.00000002.679370246.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2810000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 62f7fa0f3eaed975bfb07749068896c71e3fa2f8384aeb733b56421b54edf90e
Instruction ID: bc1e9ea37de2d25860da979566e3d693af6a4fd6552a34ab9028d84177242bb6
Opcode Fuzzy Hash: 62f7fa0f3eaed975bfb07749068896c71e3fa2f8384aeb733b56421b54edf90e
Instruction Fuzzy Hash: 153133B9D402599FDB14CFA8C885BDEBBF5AB08314F14812AE819E7380D7749486CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0281AC7C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0281C91A

Memory Dump Source

Source File: 00000006.00000002.679370246.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2810000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7e434125f73bdc0a35198da44d9fc71212ebf04d88a60c034bdd2930ff3319b8
Instruction ID: cd1d2cbd80cfddbd2664d7e9b6c417aabeead27d0f1f33a28329537caf48988a
Opcode Fuzzy Hash: 7e434125f73bdc0a35198da44d9fc71212ebf04d88a60c034bdd2930ff3319b8
Instruction Fuzzy Hash: 5A3148B9D402589FDB14CFA8C4857DEBBB5FB08314F10812AE819E7380D7749446CF96

Uniqueness

Uniqueness Score: -1.00%

Function 063C1D50 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 063C1E09

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 90c2507a2bf67ef7e9f06b401ad158c25072a2cbb9d8b6c35561cf9559047363
Instruction ID: 52160ab99bc2f0431a80676d875c3ed4009882147d10a123df9c3833f76b764d
Opcode Fuzzy Hash: 90c2507a2bf67ef7e9f06b401ad158c25072a2cbb9d8b6c35561cf9559047363
Instruction Fuzzy Hash: 8E31DDB1D00258DFCB10CFAAC984A9EFBF5BF48724F54802AE819AB750D7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 063C1698 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 063C174C

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 11f9a5f9c093b8317f0a2c4f0f2a7e135a5e695d4ab30f146805b906f9ad5b9f
Instruction ID: fe84f5c9bb2f32a6a3aa1e7eb42bb966f7ec26b7036e5c8628fd52ced08cce0b
Opcode Fuzzy Hash: 11f9a5f9c093b8317f0a2c4f0f2a7e135a5e695d4ab30f146805b906f9ad5b9f
Instruction Fuzzy Hash: FD31FFB1D002499FDB10CF99C588A8EFBF5BB48324F28816EE808AB341C7759985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063CE02C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 063CF308

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 926afb4608ce47abbfcf07313bea43c00267aa5166c74bc0afb7aee3c060d2cc
Instruction ID: 89cfa198f155a9a49aeebb623954a1cf02fb59ab21ca092a5d46edd6a6853d67
Opcode Fuzzy Hash: 926afb4608ce47abbfcf07313bea43c00267aa5166c74bc0afb7aee3c060d2cc
Instruction Fuzzy Hash: EE31D3B0D00248EFDB54DF99C984BDEBBF6AF48314F148019E504BB390D7746949CB95

Uniqueness

Uniqueness Score: -1.00%

Function 063CF274 Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 063CF308

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 04909a3c1f999b47a08a5fb8e3b0de664b834c9744782df9cfc78f2bde2a8332
Instruction ID: 88e00b474a7d740362013a10ba910792b0a15cec77da6b2b829e46a9842e426c
Opcode Fuzzy Hash: 04909a3c1f999b47a08a5fb8e3b0de664b834c9744782df9cfc78f2bde2a8332
Instruction Fuzzy Hash: E931E2B0D00248DFDB50CF99C985BCEBBB6BF48314F14801AE404AB290D7745949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 063CE782 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,063CE777), ref: 063CE807

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5348216a009fe336dff665cc354e6832ec18fc9497e3f9a8ee54e934cf4a024c
Instruction ID: daf95638d0e8f82563bbff990419bc888ab993edfdc92b9010a94ab9ea8c6c56
Opcode Fuzzy Hash: 5348216a009fe336dff665cc354e6832ec18fc9497e3f9a8ee54e934cf4a024c
Instruction Fuzzy Hash: AC21A9B28043888FCB00CFA9C849BCEBFF4EF49224F14844AD554AB241C735A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063CCA6C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,063CD0AE,?,?,?,?,?), ref: 063CD16F

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6feed469c4148c98290c69d2c3a2ead42aabdc334cbf4beb88602a92399a17e2
Instruction ID: bc8d7673b80c6a53833b5b6e27c7be315778829dca66740264ead0012f31c3b2
Opcode Fuzzy Hash: 6feed469c4148c98290c69d2c3a2ead42aabdc334cbf4beb88602a92399a17e2
Instruction Fuzzy Hash: 3A21D4B5900258AFDB50CF99D984ADEBBF4EB48324F14801AE914A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063CD0E2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,063CD0AE,?,?,?,?,?), ref: 063CD16F

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b001b7d501b4864d925a48376630b538784322e990dca7280f08d80fbe491f27
Instruction ID: a33a48515de3ecafb4cfef7e2fc5199935d834f95257d2b510727bc6fed896e6
Opcode Fuzzy Hash: b001b7d501b4864d925a48376630b538784322e990dca7280f08d80fbe491f27
Instruction Fuzzy Hash: BF21E3B6D002589FDB40CFA9D984ADEBBF4FB48324F14841AE914A3350D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02814C30 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02814CBA

Memory Dump Source

Source File: 00000006.00000002.679370246.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2810000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 03a6a67fc1085fdbfda56beef434c806d8d08777ebe8d2303b8caca4c0544ebf
Instruction ID: 1399e79de1ceb7310f9dd05c6ad160fb10738b0baf664f4a96918c847a1d3fa8
Opcode Fuzzy Hash: 03a6a67fc1085fdbfda56beef434c806d8d08777ebe8d2303b8caca4c0544ebf
Instruction Fuzzy Hash: 9C21BE798013498FEB10CF95D50879ABFF8EB49324F14806AE519E3680D7395544CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 063C842C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,063C8882), ref: 063C896F

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0307c7577381de15b41c6c58932a967655f2c3f167de24e65baa3f4a1538b458
Instruction ID: 81efb8e29eb7c73bbc632ac3e65bdf445d23b9caf1a8974426a243ff8b26fe88
Opcode Fuzzy Hash: 0307c7577381de15b41c6c58932a967655f2c3f167de24e65baa3f4a1538b458
Instruction Fuzzy Hash: B91117B1C046599BCB10CF9AC4447DEFBF4EB48224F05816AE914B7240D778A954CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 02814C40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02814CBA

Memory Dump Source

Source File: 00000006.00000002.679370246.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2810000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ae5001f473bfd650b66293caffc92292bcfc56c6bf1ceaf53e44cedb66f9303d
Instruction ID: be67d0739b7e706ae3a9d8548d21ac9e3d978f5ae4b1eac736f9b444eeaab525
Opcode Fuzzy Hash: ae5001f473bfd650b66293caffc92292bcfc56c6bf1ceaf53e44cedb66f9303d
Instruction Fuzzy Hash: 3B116D759013498FEB50DF99D5087DEBBF8EB49328F208429E509A3680DB796544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063C8900 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,063C8882), ref: 063C896F

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f1110e0fd062a9b5113b4ecde1a1769359d175d7654bf94f90357b298e76375e
Instruction ID: ef7af5d13755c8b4d4e66ae7a5c0446479e3f9d0116dbd595ba07608ffed0fb9
Opcode Fuzzy Hash: f1110e0fd062a9b5113b4ecde1a1769359d175d7654bf94f90357b298e76375e
Instruction Fuzzy Hash: D21114B2C0066A9BCB10CF99C5447DEFBF4AF48224F05816AE958B7240D378AA44CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 063C863C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 063CA696

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d645ea6f4323b84ac4044600686c384cefd485653686402f8a1a368e9ae7b089
Instruction ID: ba750eeed0f765964a118eae8c368120830b442b63c8c6b02f32a42bdc935f77
Opcode Fuzzy Hash: d645ea6f4323b84ac4044600686c384cefd485653686402f8a1a368e9ae7b089
Instruction Fuzzy Hash: C611F0B6D046598FDB10CF9AC448BDEFBF4EB89324F10841AE829B7600D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 063CA628 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 063CA696

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 06322933359a4e128811d874529be744234fefcd554bf63872adb4f11e2692da
Instruction ID: 21950e1fb399bf564a4b196aa725a4c6bb7918408dc548ce169d201b9b129242
Opcode Fuzzy Hash: 06322933359a4e128811d874529be744234fefcd554bf63872adb4f11e2692da
Instruction Fuzzy Hash: F211F0B6C016598FDB10CF9AC444BDEFBF5AB89324F14851AD429B7600C375A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063CDD6C Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,063CE777), ref: 063CE807

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 925f7c0a87591aded6586918eafbfb541489ea5e968df89f569a915e4092ccf5
Instruction ID: 4f3a3a132c6db02a6acfa284a35270d3b4f5eee4005df3d30b0d40e1c8bee5cf
Opcode Fuzzy Hash: 925f7c0a87591aded6586918eafbfb541489ea5e968df89f569a915e4092ccf5
Instruction Fuzzy Hash: D51113B19042088FDB10DF9AC488B9EFBF4EB88324F14841AE519A7240C775A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 063CE014 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 063CED8D

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 775bf3e9de3a83e0269cd17c42e80849d8ed137550c7bde38f3c0a94e27358df
Instruction ID: 4ebbae93195591b0989b0c9644c60fb486b8830a40227b2626c965f803f43323
Opcode Fuzzy Hash: 775bf3e9de3a83e0269cd17c42e80849d8ed137550c7bde38f3c0a94e27358df
Instruction Fuzzy Hash: C91130B18002488FDB20DF99C488BDEBBF8EF88224F10841AE518A3240C378A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 063CED32 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 063CED8D

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ac4a6954efa557e8fcf77e9e5ea42aecb96d2a92dc87aafbc209a90a79aa2f04
Instruction ID: cdf2a3fdf442762532b0cd220df5f3914225a8cb8b323a9cad3b5c1b730c08e1
Opcode Fuzzy Hash: ac4a6954efa557e8fcf77e9e5ea42aecb96d2a92dc87aafbc209a90a79aa2f04
Instruction Fuzzy Hash: 671112B1D00259CFDB60DF99D588BDEFBF4EB88324F14845AE519A7600C378A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 063CEDC4 Relevance: 1.5, APIs: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 063CED8D

Memory Dump Source

Source File: 00000006.00000002.707230743.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_63c0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d3a1845dbed3088ddc3ff2eae1eac4be681f624f5e1a588599be53501701c11b
Instruction ID: bc36af40f15a059d9d709cf71527657015b206bf0de2e8083bbb0dbec063b7e9
Opcode Fuzzy Hash: d3a1845dbed3088ddc3ff2eae1eac4be681f624f5e1a588599be53501701c11b
Instruction Fuzzy Hash: 3EF059729083808FDB619BADD8483D9BFE0EF82264F18808FD145E7161C3788949C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 064367E8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

Xcul, xrefs: 0643686C

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xcul
API String ID: 0-1931488744
Opcode ID: 6b51b24ad2b27fa523a92fdd5a82fe4f1e564a7bfd375ecf519d390e1aecd97e
Instruction ID: e68f132a60ccdb6b158c4aed8f36f915ecffcf6d82345b6b7139c573bbf268da
Opcode Fuzzy Hash: 6b51b24ad2b27fa523a92fdd5a82fe4f1e564a7bfd375ecf519d390e1aecd97e
Instruction Fuzzy Hash: 7E11E034F01126EFCB58DE18C448A1EB7A2FF8D220F16852AD8098B350DB70E851CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0643FC70 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

\pl, xrefs: 0643FC97

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \pl
API String ID: 0-2208718379
Opcode ID: b6499a00a78bd653f6cd58ed54d1da0eda448cb3b287fe176461e45af3ba4311
Instruction ID: c03d42d1a78af17172c2310afa8f4a3b8c3303b02baae677f2d8fff25b149501
Opcode Fuzzy Hash: b6499a00a78bd653f6cd58ed54d1da0eda448cb3b287fe176461e45af3ba4311
Instruction Fuzzy Hash: 3DE0C2227857061BA780997D988177ABACAABC5120B48C136AC4987B82DD24D8089379

Uniqueness

Uniqueness Score: -1.00%

Function 00DCDA00 Relevance: 1.1, Instructions: 1126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677554274.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c577ae0c8d2d8c71c9a9adf3677b133e19fef85174669b37746daf2b451f6f
Instruction ID: 0228bc0dbed2f01f6af0de2eea91369adb7ac1e25a897a59620b858e56f6eca6
Opcode Fuzzy Hash: 29c577ae0c8d2d8c71c9a9adf3677b133e19fef85174669b37746daf2b451f6f
Instruction Fuzzy Hash: 7B42147245E3D58FD3434BB498692823FB0AF57260B0B05DBD4C5CF0B7E1A95A5ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 0643CF90 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7803920f9d460310be50e96d55c1701638f053be64406dd63db0e7c48547782b
Instruction ID: b2587a836c52e8481d80d97eb75d01a8ce8abedfdd84f9cd656bdac33f0c878a
Opcode Fuzzy Hash: 7803920f9d460310be50e96d55c1701638f053be64406dd63db0e7c48547782b
Instruction Fuzzy Hash: 18D1F370E002189FCB55DF68C544BAEBBB6EF89314F20846AD51ADB791CB31EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0643C930 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae4c9f85118732d39eca229bc523fe10840035f841b576dc54c78b92da55cc1
Instruction ID: db50836f45ad113b51de45dfaf0762048b557dd2a8f7b4ccebd435c8e37b1fa3
Opcode Fuzzy Hash: 5ae4c9f85118732d39eca229bc523fe10840035f841b576dc54c78b92da55cc1
Instruction Fuzzy Hash: E1D12631A04215DFC752CF68C8C0AABBBA6EF89314F15C557D855EB392DB31E802CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06439CF0 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f6a77ea90954981a47c645f123434a8c8341681efd797fb1cce2020c0617f5
Instruction ID: 776f0fcd977b57f16b5eeec0d67e3664d4590cc8d5b1c1ca3008e66d086f4373
Opcode Fuzzy Hash: 09f6a77ea90954981a47c645f123434a8c8341681efd797fb1cce2020c0617f5
Instruction Fuzzy Hash: 4EC1A134B043548FDB45AB78886576E7BF2AFCA304F15886AD449DB792EF34CC0A8B51

Uniqueness

Uniqueness Score: -1.00%

Function 0643C180 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f802815680e53a0bf92ede186762ab756b7d6f606b528ba29974d84f853554b
Instruction ID: 806d737cac5dd49ad3d80a217ef7afcece4cd716750ae3b04719d4d3cd55897b
Opcode Fuzzy Hash: 9f802815680e53a0bf92ede186762ab756b7d6f606b528ba29974d84f853554b
Instruction Fuzzy Hash: B991F030B002249FD714AB78C8987AEB6E39FC9304F15C46AE446DB7D2DE35DC4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 06439E40 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff09d438ac17515114c75f0dae7c88302afd7a111f6a521d6f1ff8418896bcca
Instruction ID: 2ede786a91a052adcedb41b33f7c594dd5d8d8238d85d04be8f7f6060e6f32f2
Opcode Fuzzy Hash: ff09d438ac17515114c75f0dae7c88302afd7a111f6a521d6f1ff8418896bcca
Instruction Fuzzy Hash: A5716F34B002158BDB58ABB4D4697AE76E3AFC9304F148829E806DB780EF74DC468B95

Uniqueness

Uniqueness Score: -1.00%

Function 06436B60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69ea7cbc799d5414bc9db76e22107f6adf04502847b9c2f88d3b16c072386c3
Instruction ID: d510c6cc77421725fbe4f5e3add3b515d5f1ff116067d8f3dacf6b3480c7ea3a
Opcode Fuzzy Hash: a69ea7cbc799d5414bc9db76e22107f6adf04502847b9c2f88d3b16c072386c3
Instruction Fuzzy Hash: 97711A34B002169FDF66DF29C488A6A7BE5EF89610F1A40AAE805CB361DB74DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0643C172 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15c4aa05924fa11728465c1fc00e1254777062a4249a9c5963d7b19fd83a613
Instruction ID: 697841b16b9f816ef23c2998009da7146c3f9cdf891e5b6438edc60caf04aaf1
Opcode Fuzzy Hash: d15c4aa05924fa11728465c1fc00e1254777062a4249a9c5963d7b19fd83a613
Instruction Fuzzy Hash: 6F61CF70B002249FD714AB78C99976EB6E3AFC9304F14C429E416AB7D1CE75EC81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0643FD08 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b682303bdccd6001719a11c75f4cdce00f1bfe86c7e67a567d496b345892e68f
Instruction ID: e1b209c2837056fc0b7f3896686df9820cf3afae7fe449564e9d50f9ee068997
Opcode Fuzzy Hash: b682303bdccd6001719a11c75f4cdce00f1bfe86c7e67a567d496b345892e68f
Instruction Fuzzy Hash: C351D470E002258FDB94EF68D545AAEB7F2FB4C354F56845AD406AB381DB34EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0643A12C Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe4e91a91e2e609cf4bdc035b50d937d9e667c86da2e2dd2af15de61e2c7d23
Instruction ID: bc3204e05dd705afbd153eb469612eecd710668aaae39bc1bdaaf89f20e00851
Opcode Fuzzy Hash: 7fe4e91a91e2e609cf4bdc035b50d937d9e667c86da2e2dd2af15de61e2c7d23
Instruction Fuzzy Hash: 79415F34B402158FDF589BB4D86976E7AF6AFC8244F14442AE806DB790EF74CC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06436FD3 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e40e160615adc619e751018409ae3c62d5fc413daf06f4fa611271431c23a6f
Instruction ID: 9f8d42478525aa8181b31754f1f3b29e5f613e80a1177dc26f26aa7e23323612
Opcode Fuzzy Hash: 6e40e160615adc619e751018409ae3c62d5fc413daf06f4fa611271431c23a6f
Instruction Fuzzy Hash: 8241C371A00259DFDF52CFA4C844ADEBFB2AF4E310F008156E995AB391D332E955CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0643FCB1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4416f985faa01101a37a8732dc0c0e6004e64186ff82980b86aa91cabd56a5
Instruction ID: 0d132c2383c4a9ab9f9142056f96003aa6721d65c0c572201685ec137c7fc1ef
Opcode Fuzzy Hash: ef4416f985faa01101a37a8732dc0c0e6004e64186ff82980b86aa91cabd56a5
Instruction Fuzzy Hash: 75312934E042549FD795DB29C944ADABBF2AB4D300F15C466E845EB352DB30DC4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677350784.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a746ce1c4fad6ba324f26746ff9cd64c1607042489c098daa1e335aafd93f2
Instruction ID: 528634af52a720fe2cdc77786cbd8dd2968b71e2864764089e9b8a32725937ce
Opcode Fuzzy Hash: 73a746ce1c4fad6ba324f26746ff9cd64c1607042489c098daa1e335aafd93f2
Instruction Fuzzy Hash: 07214CB1504200DFDB14CF14D9C0B66BFA7FB99328F24856DE90A4B246D336D846C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD124 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677350784.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbc1ba8adda77cf5204ef8041970c3f37c17a45b72f5d03187ea53a4e26ba6f
Instruction ID: bffdaead173f35660c1f4c18ca7760f8994c606ab528237fccd3f82b0e44b69d
Opcode Fuzzy Hash: 1bbc1ba8adda77cf5204ef8041970c3f37c17a45b72f5d03187ea53a4e26ba6f
Instruction Fuzzy Hash: BC2125B1504340DFDB05DF18D8C0B66BF67FB98364F288569E90A4B246D336D846C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677554274.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b495669450b125d1772518ba47ec30c6916a94e97828cee90ca8c8a3433d9b
Instruction ID: bc4ea568af80198beb138930a92596ffe6c47ade9b9c304bae8f4f7242740470
Opcode Fuzzy Hash: 45b495669450b125d1772518ba47ec30c6916a94e97828cee90ca8c8a3433d9b
Instruction Fuzzy Hash: EF21C5B1508245DFDB08DF14D9C4F26BB66FB84314F28C96DD9494B246C336D846DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0643C580 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002419252f056b47618e37c7afba7d75b4da40addc35d08cbf9e0cf04836db9d
Instruction ID: 8f521e03620c2929a4e69f41cde03c372038838c2851a9d08f6a3b9b2acc2fd3
Opcode Fuzzy Hash: 002419252f056b47618e37c7afba7d75b4da40addc35d08cbf9e0cf04836db9d
Instruction Fuzzy Hash: 9C213770A0422ADFEB15DFA0D985BAEBBB5FF48700F20402AE801BB350DB75D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064370B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcf4ea203c04c6aa22b5caa949fd2b1c994c17c2a9b56c4dd94a47ebda0f98c
Instruction ID: 70312161f5ec67edbe4e67645dbc524ef757e7cddabc18ff8ace425310f63f53
Opcode Fuzzy Hash: 0fcf4ea203c04c6aa22b5caa949fd2b1c994c17c2a9b56c4dd94a47ebda0f98c
Instruction Fuzzy Hash: 9911B472A0015A9BDF50CF68C840B5FBFA2AF8A310F048556D5589B396D371E851C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677350784.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66214ac6492c772c1380c650795b37f074d04fa4bd200646b971f02ef69cf05
Instruction ID: ed37edf8f1ad3301b9ac441cb59ca5e57717844a8c8f34c57f0aba197a905c5c
Opcode Fuzzy Hash: c66214ac6492c772c1380c650795b37f074d04fa4bd200646b971f02ef69cf05
Instruction Fuzzy Hash: 3911E676404280CFDF11CF10D9C4B56BFB2FB95324F28C6A9D8060B656C33AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD11F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.677350784.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66214ac6492c772c1380c650795b37f074d04fa4bd200646b971f02ef69cf05
Instruction ID: 21907fabc7e7b725c07cd04390855da08bf9cfa285224ac34b96520746b3d819
Opcode Fuzzy Hash: c66214ac6492c772c1380c650795b37f074d04fa4bd200646b971f02ef69cf05
Instruction Fuzzy Hash: BB11D376804280CFDB12CF14D9C4B56BF72FB84324F28C6A9DC050B616C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0643C570 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c5771beacd57b737833a9dfcb3951bf644b0f1896f22c6bb502777da5b9280
Instruction ID: 39e30c996da3098ee62089daaa492272ed9dbd04c5f8a3c54c9f02bd7a8b5a58
Opcode Fuzzy Hash: 66c5771beacd57b737833a9dfcb3951bf644b0f1896f22c6bb502777da5b9280
Instruction Fuzzy Hash: 88117C70A142699FEB15DFB4D884AAEBBB2EF49700F144429E481A7350DB719845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06436E70 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a532e4d68fa4b7a5e96ce1a6217c32060374ba064b9238684f0c83af91eb84
Instruction ID: 200772db9026a7fd2e95b37f9a7d583024f8bfb295cc0f3b2a1dd6af7940ef63
Opcode Fuzzy Hash: 07a532e4d68fa4b7a5e96ce1a6217c32060374ba064b9238684f0c83af91eb84
Instruction Fuzzy Hash: FD118BB6E00268AFCF05CFD8D8018DEBBF5FF4C310B00416AE515A7254D73169098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0643F141 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.707475754.0000000006430000.00000040.00000800.00020000.00000000.sdmp, Offset: 06430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6430000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a274336b3e88497c0ef0c4279a575c734d47a538812c96c0c7906af1cfd75
Instruction ID: 2f776b1c079e0ca2e1ab0b756a94f7e29973d81f0f3e5356971c2c47ca1f329a
Opcode Fuzzy Hash: d33a274336b3e88497c0ef0c4279a575c734d47a538812c96c0c7906af1cfd75
Instruction Fuzzy Hash: B8E08639F052148FDB449B35A84827D7BA3F7CC222B158967E90AD3340CF344C128740

Uniqueness

Uniqueness Score: -1.00%

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeKPEkBAWDzqvcYgqMPAoc.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449157978.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeKPEkBAWDzqvcYgqMPAoc.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.456163943.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.456312270.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449669672.0000000002D42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.447804176.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.429740069.00000000075D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.455944920.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000000.407309402.0000000000927000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEnumAssembliesFl.exe. vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.486008108.0000000005EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEnumAssembliesFl.exe. vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000000.445608917.0000000000436000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeKPEkBAWDzqvcYgqMPAoc.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.672371331.0000000000799000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Binary or memory string: OriginalFilenameEnumAssembliesFl.exe. vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetectNet.01.16858.8637

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bgnFA.exe.log

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.16858.8637

Function 05188640 Relevance: 41.9, Strings: 30, Instructions: 4369
COMMON

Function 012CBCC3 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Function 012CBCD0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 051803F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 051803EF Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 012C3EA0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 012C536B Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 063C5060 Relevance: 2.3, APIs: 1, Instructions: 760
libraryCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre