Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.16858.8637

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetectNet.01.16858.8637 (renamed file extension from 8637 to exe)
Analysis ID:	682147
MD5:	dfe8f6d0b1fb5fb795f5596564ed5a60
SHA1:	0e94379e76c28d605fd35c65369626a823924000
SHA256:	342c1de5e06e65ef00a4d5c0c39e4157d5b54268f3324d6db17f76498b02a7c1
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.AIDetectNet.01.16858.exe (PID: 5884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe" MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

SecuriteInfo.com.W32.AIDetectNet.01.16858.exe (PID: 5800 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

bgnFA.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe" MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

bgnFA.exe (PID: 5936 cmdline: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

bgnFA.exe (PID: 5312 cmdline: "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe" MD5: DFE8F6D0B1FB5FB795F5596564ED5A60)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "mostafa@gpd-qatar.com", "Password": "Toy?C@R2v$4bKt", "Host": "mail.gpd-qatar.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x678c1:$a13: get_DnsResolver 0x9b6e1:$a13: get_DnsResolver 0xcf301:$a13: get_DnsResolver 0x6611e:$a20: get_LastAccessed 0x99f3e:$a20: get_LastAccessed 0xcdb5e:$a20: get_LastAccessed 0x68251:$a27: set_InternalServerPort 0x9c071:$a27: set_InternalServerPort 0xcfc91:$a27: set_InternalServerPort 0x6856e:$a30: set_GuidMasterKey 0x9c38e:$a30: set_GuidMasterKey 0xcffae:$a30: set_GuidMasterKey 0x66225:$a33: get_Clipboard 0x9a045:$a33: get_Clipboard 0xcdc65:$a33: get_Clipboard 0x66233:$a34: get_Keyboard 0x9a053:$a34: get_Keyboard 0xcdc73:$a34: get_Keyboard 0x674de:$a35: get_ShiftKeyDown 0x9b2fe:$a35: get_ShiftKeyDown 0xcef1e:$a35: get_ShiftKeyDown
00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f8b9:$a13: get_DnsResolver 0x2e116:$a20: get_LastAccessed 0x30249:$a27: set_InternalServerPort 0x30566:$a30: set_GuidMasterKey 0x2e21d:$a33: get_Clipboard 0x2e22b:$a34: get_Keyboard 0x2f4d6:$a35: get_ShiftKeyDown 0x2f4e7:$a36: get_AltKeyDown 0x2e238:$a37: get_Password 0x2ecac:$a38: get_PasswordHash 0x2fcc1:$a39: get_DefaultCredentials
0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xaf09:$a13: get_DnsResolver 0x99c0:$a20: get_LastAccessed 0xb84e:$a27: set_InternalServerPort 0xbab1:$a30: set_GuidMasterKey 0x9ab3:$a33: get_Clipboard 0x9ac1:$a34: get_Keyboard 0xabbf:$a35: get_ShiftKeyDown 0xabd0:$a36: get_AltKeyDown 0x9ace:$a37: get_Password 0xa49e:$a38: get_PasswordHash 0xb2e8:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1e67c:$a13: get_DnsResolver 0x1d133:$a20: get_LastAccessed 0x1efc1:$a27: set_InternalServerPort 0x1f224:$a30: set_GuidMasterKey 0x1d226:$a33: get_Clipboard 0x1d234:$a34: get_Keyboard 0x1e332:$a35: get_ShiftKeyDown 0x1e343:$a36: get_AltKeyDown 0x1d241:$a37: get_Password 0x1dc11:$a38: get_PasswordHash 0x1ea5b:$a39: get_DefaultCredentials
Process Memory Space: bgnFA.exe PID: 2508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bgnFA.exe PID: 5936	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: bgnFA.exe PID: 5936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3059a:$s10: logins 0x2fff6:$s11: credential 0x2c61d:$g1: get_Clipboard 0x2c62b:$g2: get_Keyboard 0x2c638:$g3: get_Password 0x2d8c6:$g4: get_CtrlKeyDown 0x2d8d6:$g5: get_ShiftKeyDown 0x2d8e7:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2dcb9:$a13: get_DnsResolver 0x2c516:$a20: get_LastAccessed 0x2e649:$a27: set_InternalServerPort 0x2e966:$a30: set_GuidMasterKey 0x2c61d:$a33: get_Clipboard 0x2c62b:$a34: get_Keyboard 0x2d8d6:$a35: get_ShiftKeyDown 0x2d8e7:$a36: get_AltKeyDown 0x2c638:$a37: get_Password 0x2d0ac:$a38: get_PasswordHash 0x2e0c1:$a39: get_DefaultCredentials
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3239a:$s10: logins 0x31df6:$s11: credential 0x2e41d:$g1: get_Clipboard 0x2e42b:$g2: get_Keyboard 0x2e438:$g3: get_Password 0x2f6c6:$g4: get_CtrlKeyDown 0x2f6d6:$g5: get_ShiftKeyDown 0x2f6e7:$g6: get_AltKeyDown
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fab9:$a13: get_DnsResolver 0x2e316:$a20: get_LastAccessed 0x30449:$a27: set_InternalServerPort 0x30766:$a30: set_GuidMasterKey 0x2e41d:$a33: get_Clipboard 0x2e42b:$a34: get_Keyboard 0x2f6d6:$a35: get_ShiftKeyDown 0x2f6e7:$a36: get_AltKeyDown 0x2e438:$a37: get_Password 0x2eeac:$a38: get_PasswordHash 0x2fec1:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3059a:$s10: logins 0x2fff6:$s11: credential 0x2c61d:$g1: get_Clipboard 0x2c62b:$g2: get_Keyboard 0x2c638:$g3: get_Password 0x2d8c6:$g4: get_CtrlKeyDown 0x2d8d6:$g5: get_ShiftKeyDown 0x2d8e7:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2dcb9:$a13: get_DnsResolver 0x2c516:$a20: get_LastAccessed 0x2e649:$a27: set_InternalServerPort 0x2e966:$a30: set_GuidMasterKey 0x2c61d:$a33: get_Clipboard 0x2c62b:$a34: get_Keyboard 0x2d8d6:$a35: get_ShiftKeyDown 0x2d8e7:$a36: get_AltKeyDown 0x2c638:$a37: get_Password 0x2d0ac:$a38: get_PasswordHash 0x2e0c1:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3239a:$s10: logins 0x65fba:$s10: logins 0x31df6:$s11: credential 0x65a16:$s11: credential 0x2e41d:$g1: get_Clipboard 0x6203d:$g1: get_Clipboard 0x2e42b:$g2: get_Keyboard 0x6204b:$g2: get_Keyboard 0x2e438:$g3: get_Password 0x62058:$g3: get_Password 0x2f6c6:$g4: get_CtrlKeyDown 0x632e6:$g4: get_CtrlKeyDown 0x2f6d6:$g5: get_ShiftKeyDown 0x632f6:$g5: get_ShiftKeyDown 0x2f6e7:$g6: get_AltKeyDown 0x63307:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xa6ab7:$s1: file:/// 0x11a8d7:$s1: file:/// 0xa69c7:$s2: {11111-22222-10009-11112} 0x11a7e7:$s2: {11111-22222-10009-11112} 0xa6a47:$s3: {11111-22222-50001-00000} 0x11a867:$s3: {11111-22222-50001-00000} 0xa3d9b:$s4: get_Module 0x117bbb:$s4: get_Module 0x2e95c:$s5: Reverse 0x6257c:$s5: Reverse 0xa4214:$s5: Reverse 0x118034:$s5: Reverse 0x30808:$s6: BlockCopy 0x64428:$s6: BlockCopy 0xa6189:$s6: BlockCopy 0x119fa9:$s6: BlockCopy 0x2ebfd:$s7: ReadByte 0x6281d:$s7: ReadByte 0xa6ac9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x11a8e9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fab9:$a13: get_DnsResolver 0x636d9:$a13: get_DnsResolver 0x2e316:$a20: get_LastAccessed 0x61f36:$a20: get_LastAccessed 0x30449:$a27: set_InternalServerPort 0x64069:$a27: set_InternalServerPort 0x30766:$a30: set_GuidMasterKey 0x64386:$a30: set_GuidMasterKey 0x2e41d:$a33: get_Clipboard 0x6203d:$a33: get_Clipboard 0x2e42b:$a34: get_Keyboard 0x6204b:$a34: get_Keyboard 0x2f6d6:$a35: get_ShiftKeyDown 0x632f6:$a35: get_ShiftKeyDown 0x2f6e7:$a36: get_AltKeyDown 0x63307:$a36: get_AltKeyDown 0x2e438:$a37: get_Password 0x62058:$a37: get_Password 0x2eeac:$a38: get_PasswordHash 0x62acc:$a38: get_PasswordHash 0x2fec1:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3239a:$s10: logins 0x661ba:$s10: logins 0x99dda:$s10: logins 0x31df6:$s11: credential 0x65c16:$s11: credential 0x99836:$s11: credential 0x2e41d:$g1: get_Clipboard 0x6223d:$g1: get_Clipboard 0x95e5d:$g1: get_Clipboard 0x2e42b:$g2: get_Keyboard 0x6224b:$g2: get_Keyboard 0x95e6b:$g2: get_Keyboard 0x2e438:$g3: get_Password 0x62258:$g3: get_Password 0x95e78:$g3: get_Password 0x2f6c6:$g4: get_CtrlKeyDown 0x634e6:$g4: get_CtrlKeyDown 0x97106:$g4: get_CtrlKeyDown 0x2f6d6:$g5: get_ShiftKeyDown 0x634f6:$g5: get_ShiftKeyDown 0x97116:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xda8d7:$s1: file:/// 0x14e6f7:$s1: file:/// 0xda7e7:$s2: {11111-22222-10009-11112} 0x14e607:$s2: {11111-22222-10009-11112} 0xda867:$s3: {11111-22222-50001-00000} 0x14e687:$s3: {11111-22222-50001-00000} 0xd7bbb:$s4: get_Module 0x14b9db:$s4: get_Module 0x2e95c:$s5: Reverse 0x6277c:$s5: Reverse 0x9639c:$s5: Reverse 0xd8034:$s5: Reverse 0x14be54:$s5: Reverse 0x30808:$s6: BlockCopy 0x64628:$s6: BlockCopy 0x98248:$s6: BlockCopy 0xd9fa9:$s6: BlockCopy 0x14ddc9:$s6: BlockCopy 0x2ebfd:$s7: ReadByte 0x62a1d:$s7: ReadByte 0x9663d:$s7: ReadByte
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fab9:$a13: get_DnsResolver 0x638d9:$a13: get_DnsResolver 0x974f9:$a13: get_DnsResolver 0x2e316:$a20: get_LastAccessed 0x62136:$a20: get_LastAccessed 0x95d56:$a20: get_LastAccessed 0x30449:$a27: set_InternalServerPort 0x64269:$a27: set_InternalServerPort 0x97e89:$a27: set_InternalServerPort 0x30766:$a30: set_GuidMasterKey 0x64586:$a30: set_GuidMasterKey 0x981a6:$a30: set_GuidMasterKey 0x2e41d:$a33: get_Clipboard 0x6223d:$a33: get_Clipboard 0x95e5d:$a33: get_Clipboard 0x2e42b:$a34: get_Keyboard 0x6224b:$a34: get_Keyboard 0x95e6b:$a34: get_Keyboard 0x2f6d6:$a35: get_ShiftKeyDown 0x634f6:$a35: get_ShiftKeyDown 0x97116:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x697ba:$s10: logins 0x9d5da:$s10: logins 0xd11fa:$s10: logins 0x69216:$s11: credential 0x9d036:$s11: credential 0xd0c56:$s11: credential 0x6583d:$g1: get_Clipboard 0x9965d:$g1: get_Clipboard 0xcd27d:$g1: get_Clipboard 0x6584b:$g2: get_Keyboard 0x9966b:$g2: get_Keyboard 0xcd28b:$g2: get_Keyboard 0x65858:$g3: get_Password 0x99678:$g3: get_Password 0xcd298:$g3: get_Password 0x66ae6:$g4: get_CtrlKeyDown 0x9a906:$g4: get_CtrlKeyDown 0xce526:$g4: get_CtrlKeyDown 0x66af6:$g5: get_ShiftKeyDown 0x9a916:$g5: get_ShiftKeyDown 0xce536:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x111cf7:$s1: file:/// 0x185b17:$s1: file:/// 0x111c07:$s2: {11111-22222-10009-11112} 0x185a27:$s2: {11111-22222-10009-11112} 0x111c87:$s3: {11111-22222-50001-00000} 0x185aa7:$s3: {11111-22222-50001-00000} 0x10efdb:$s4: get_Module 0x182dfb:$s4: get_Module 0x65d7c:$s5: Reverse 0x99b9c:$s5: Reverse 0xcd7bc:$s5: Reverse 0x10f454:$s5: Reverse 0x183274:$s5: Reverse 0x67c28:$s6: BlockCopy 0x9ba48:$s6: BlockCopy 0xcf668:$s6: BlockCopy 0x1113c9:$s6: BlockCopy 0x1851e9:$s6: BlockCopy 0x6601d:$s7: ReadByte 0x99e3d:$s7: ReadByte 0xcda5d:$s7: ReadByte
0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x66ed9:$a13: get_DnsResolver 0x9acf9:$a13: get_DnsResolver 0xce919:$a13: get_DnsResolver 0x65736:$a20: get_LastAccessed 0x99556:$a20: get_LastAccessed 0xcd176:$a20: get_LastAccessed 0x67869:$a27: set_InternalServerPort 0x9b689:$a27: set_InternalServerPort 0xcf2a9:$a27: set_InternalServerPort 0x67b86:$a30: set_GuidMasterKey 0x9b9a6:$a30: set_GuidMasterKey 0xcf5c6:$a30: set_GuidMasterKey 0x6583d:$a33: get_Clipboard 0x9965d:$a33: get_Clipboard 0xcd27d:$a33: get_Clipboard 0x6584b:$a34: get_Keyboard 0x9966b:$a34: get_Keyboard 0xcd28b:$a34: get_Keyboard 0x66af6:$a35: get_ShiftKeyDown 0x9a916:$a35: get_ShiftKeyDown 0xce536:$a35: get_ShiftKeyDown
Click to see the 22 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Virustotal: Detection: 17%

Perma Link

Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mostafa@gpd-qatar.com", "Password": "Toy?C@R2v$4bKt", "Host": "mail.gpd-qatar.com"}

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49767 -> 50.87.253.110:587

Source: global traffic

TCP traffic: 192.168.2.5:49767 -> 50.87.253.110:587

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DGTGmt.com
Source: bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698098173.0000000003121000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698171434.000000000312A000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697762371.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://LyFPshcnr7V.net
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628638098.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706267699.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628638098.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/QF:
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495839319.00000000067F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627609088.00000000067F8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627807287.0000000005F75000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.gpd-qatar.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, bgnFA.exe.6.dr	String found in binary or memory: http://philiphanson.org/medius/book/1.0
Source: bgnFA.exe.6.dr	String found in binary or memory: http://philiphanson.org/medius/temp-transform
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499067814.0000000005F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497043630.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com91(Z
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417045383.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417084076.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comc1nZ1
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.417003338.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comwit
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499067814.0000000005F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627417778.00000000067C3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497454262.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496857402.00000000067D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627511724.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497585491.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706267699.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.448367203.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.413853855.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.413853855.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn-
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499163953.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.676529704.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627511724.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comivu
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.414005981.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.414013214.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%GETOK
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown

DNS traffic detected: queries for: mail.gpd-qatar.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.447804176.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD323C4A9u002d3203u002d48AFu002dBCE9u002d20800F01B95Bu007d/u00346788441u002dC7C0u002d44BFu002dB790u002dF91B01BA75FB.cs

Large array initialization: .cctor: array initializer size 11464

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_012CC214
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_012CEBA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_012CEBB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_05188640
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 0_2_05188610
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0281EFD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0281F320
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0281FBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_028160A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DDA18
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DC008
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DD080
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DF9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061DCF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D32A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D41E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C8764
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C5060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C1080
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C2108
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063CAC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C3C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C9A68
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063C8C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063CAC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_063CB910
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06436E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643047A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06433078
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06435878
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643D978
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643A1D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_06437328
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_0643A174
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_064395F0

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Virustotal: Detection: 17%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe "C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/4@2/2

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.810000.0.unpack, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: bgnFA.exe.6.dr, Main.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static file information: File size 1131008 > 1048576

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.810000.0.unpack, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: bgnFA.exe.6.dr, Main.cs	.Net Code: SafeHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D166A push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1662 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D169A push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16BA push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16B2 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16AA push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D26D8 pushfd ; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16DA push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16D2 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16CA push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16C2 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16FA push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16F2 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16EA push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D16E2 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D171A push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1712 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D170A push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1702 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D173A push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1732 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D172A push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1722 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1742 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D179E push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D1796 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D178E push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17BE push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17B6 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17AE push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Code function: 6_2_061D17A6 push es; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.433620851852969
Source: initial sample	Static PE information: section name: .text entropy: 7.433620851852969

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bgnFA			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bgnFA			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

File opened: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 2508, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe TID: 5892	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe TID: 3952	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe TID: 6076	Thread sleep count: 9539 > 30
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 4520	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 4596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 5296	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe TID: 4112	Thread sleep count: 9408 > 30

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Window / User API: threadDelayed 9539
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Window / User API: threadDelayed 9408

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Thread delayed: delay time: 922337203685477

Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628197268.0000000006888000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496499510.0000000006885000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF_
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.628197268.0000000006888000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496499510.0000000006885000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.447149466.0000000008B60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nRQemu
Source: bgnFA.exe, 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Code function: 6_2_061DC4A0 LdrInitializeThunk,

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Memory written: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Process created: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 5936, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 5936, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3dd0c28.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d9ce08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.3d659e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bgnFA.exe PID: 5936, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	111 Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe	17%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://api.ipify.org%GETOK	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/lcr0#	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.defence.gov.au/pki0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://ca.mtin.es/mtin/ocsp0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://philiphanson.org/medius/temp-transform	0%	Avira URL Cloud	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://ca.mtin.es/mtin/DPCyPoliticas0	0%	URL Reputation	safe
http://www.carterandcone.como	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://LyFPshcnr7V.net	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.founder.com.cn/cn-	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://ocsp.ncdc.gov.sa0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.gpd-qatar.com	50.87.253.110	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org%GETOK	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627807287.0000000005F75000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.e-me.lv/repository0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.postsignum.cz/crl/psrootqca2.crl02	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497043630.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/lcr0#	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.411626950.0000000005BEB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certeurope.fr/reference/root2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.defence.gov.au/pki0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrito	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.448367203.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sk.ee/cps/0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0=	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.anf.es	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pki.registradores.org/normativa/index.htm0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://policy.camerfirma.com0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssc.lt/cps03	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.708046683.00000000067CF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627443158.00000000067CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.mtin.es/mtin/ocsp0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.letsencrypt.org0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.698029049.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697854473.00000000030FF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://philiphanson.org/medius/temp-transform	bgnFA.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.dnie.es/dpc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.627511724.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.mtin.es/mtin/DPCyPoliticas0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.como	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.415362435.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acedicom.edicomgroup.com/doc0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class3TS.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499067814.0000000005F79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://crl.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certeurope.fr/reference/pc-root2.pdf0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497721282.0000000005EFA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499223145.0000000005F75000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ac.economia.gob.mx/last.crl0G	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://LyFPshcnr7V.net	bgnFA.exe, 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698098173.0000000003121000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.698171434.000000000312A000.00000004.00000800.00020000.00000000.sdmp, bgnFA.exe, 0000000E.00000002.697762371.00000000030F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.catcert.net/verarrel	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca0f	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn-	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.413853855.0000000005BD8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-szigno.hu/RootCA.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sk.ee/juur/crl/0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497065018.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497616371.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eca.hinet.net/repository0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ssc.lt/root-a/cacrl.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496102748.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.netlock.net/docs	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497585491.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.495605505.00000000067C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706267699.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.ncdc.gov.sa0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignCA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497226278.0000000005F7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.454376754.0000000006DE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497437781.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.706213888.0000000005F96000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.499099053.0000000005F96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496752658.0000000005F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.497454262.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496912081.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.496596703.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.253.110	mail.gpd-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682147
Start date and time:	2022-08-11 06:30:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.W32.AIDetectNet.01.16858.8637 (renamed file extension from 8637 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/4@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 209.197.3.8
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:31:25	API Interceptor	623x Sleep call for process: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe modified
06:31:39	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bgnFA C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
06:31:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bgnFA C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
06:32:03	API Interceptor	341x Sleep call for process: bgnFA.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bgnFA.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1131008
Entropy (8bit):	7.058493037232615
Encrypted:	false
SSDEEP:	24576:AAi4vwHmQl/HrwmpStXqDrbWtOJqyp9hgi:ANHrw7aCOJJ
MD5:	DFE8F6D0B1FB5FB795F5596564ED5A60
SHA1:	0E94379E76C28D605FD35C65369626A823924000
SHA-256:	342C1DE5E06E65EF00A4D5C0C39E4157D5B54268F3324D6DB17F76498B02A7C1
SHA-512:	4C188F028F2FE1D73E009B754C670CE6267FAB4CDBA288E75E544D8FA153F6A1AB1BC363BE69F5D7E713D672CC737CD2D69B67793E89C248352B4EBB7BB9CE8D
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 17%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.b..............0......:......V$... ...@....@.. ....................................@..................................$..O....@...7........................................................................... ............... ..H............text...\.... ...................... ..`.rsrc....7...@...8..................@..@.reloc...............@..............@..B................8$......H...........L.......j....l.. ............................................0............{....o.....+..f..{.....,..+.~ ...o!....&...}........0..j........s"......{....o#...o$....+(.o%...t......o&.....,...o'...u....o(.....o)...-....u........,...o........+.............4M........s"...}......}.....(+......(.......0..s.........{...........s,...o-......{....o.....+0..(/......o....s0......o1.....{....o#....o2...&...(3...-...........o............&.=c.......0..+.........,..{......

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.058493037232615
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
File size:	1131008
MD5:	dfe8f6d0b1fb5fb795f5596564ed5a60
SHA1:	0e94379e76c28d605fd35c65369626a823924000
SHA256:	342c1de5e06e65ef00a4d5c0c39e4157d5b54268f3324d6db17f76498b02a7c1
SHA512:	4c188f028f2fe1d73e009b754c670ce6267fab4cdba288e75e544d8fa153f6a1ab1bc363be69f5d7e713d672cc737cd2d69b67793e89c248352b4ebb7bb9ce8d
SSDEEP:	24576:AAi4vwHmQl/HrwmpStXqDrbWtOJqyp9hgi:ANHrw7aCOJJ
TLSH:	D2359DDEEA48C85ADD154B30E83948F05767BDA5F435D85F285BBC21BA7338E212AD03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.b..............0......:......V$... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0f3135466416514c

Static PE Info

General

Entrypoint:	0x4e2456
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F46281 [Thu Aug 11 01:59:29 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe2404	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe4000	0x337a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe045c	0xe0600	False	0.6771903290389972	data	7.433620851852969	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe4000	0x337a4	0x33800	False	0.1639961316747573	data	4.093478798314193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe4160	0x33090	data
RT_GROUP_ICON	0x1171f0	0x14	data
RT_GROUP_ICON	0x117204	0x14	data
RT_VERSION	0x117218	0x3a0	data
RT_MANIFEST	0x1175b8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:31:52.393898010 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:52.564441919 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:52.565962076 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:52.872816086 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:52.873655081 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.044276953 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.044578075 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.216497898 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.341092110 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.518033028 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518070936 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518093109 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518110037 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.518186092 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.518229961 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.520034075 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.581407070 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:53.752665043 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:53.959604025 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.128820896 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.299420118 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.304728031 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.475887060 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.476553917 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.687643051 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.783134937 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.785454988 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:57.955754042 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.959969044 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:57.960346937 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.132647038 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.135360003 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.305826902 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.306900978 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.307035923 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.307812929 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.307898998 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:31:58.477329016 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.477361917 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.478331089 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.478370905 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.479069948 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:31:58.647525072 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:38.429254055 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:38.599436998 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:38.599688053 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:38.903387070 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:38.903830051 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.074331999 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.074683905 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.246436119 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.266998053 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.446536064 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446569920 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446587086 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446599960 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446610928 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.446913004 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.455908060 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.626528025 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.689002991 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:39.859565973 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:39.860413074 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.031085968 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.031702995 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.242882013 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.338757038 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.339184999 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.509526968 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.509551048 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.509987116 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.682395935 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.682790995 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.853790998 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:40.854865074 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.854993105 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.855067015 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:40.855168104 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:32:41.026067019 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:41.026170969 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:41.027707100 CEST	587	49856	50.87.253.110	192.168.2.5
Aug 11, 2022 06:32:41.161303997 CEST	49856	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:33:32.128531933 CEST	49767	587	192.168.2.5	50.87.253.110
Aug 11, 2022 06:33:32.339531898 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:33:32.771600962 CEST	587	49767	50.87.253.110	192.168.2.5
Aug 11, 2022 06:33:32.772248030 CEST	49767	587	192.168.2.5	50.87.253.110

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 11, 2022 06:31:52.169194937 CEST	59661	53	192.168.2.5	8.8.8.8
Aug 11, 2022 06:31:52.350989103 CEST	53	59661	8.8.8.8	192.168.2.5
Aug 11, 2022 06:32:38.382360935 CEST	62525	53	192.168.2.5	8.8.8.8
Aug 11, 2022 06:32:38.401916981 CEST	53	62525	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 11, 2022 06:31:52.169194937 CEST	192.168.2.5	8.8.8.8	0x100e	Standard query (0)	mail.gpd-qatar.com	A (IP address)	IN (0x0001)
Aug 11, 2022 06:32:38.382360935 CEST	192.168.2.5	8.8.8.8	0xf46	Standard query (0)	mail.gpd-qatar.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 11, 2022 06:31:52.350989103 CEST	8.8.8.8	192.168.2.5	0x100e	No error (0)	mail.gpd-qatar.com		50.87.253.110	A (IP address)	IN (0x0001)
Aug 11, 2022 06:32:38.401916981 CEST	8.8.8.8	192.168.2.5	0xf46	No error (0)	mail.gpd-qatar.com		50.87.253.110	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 11, 2022 06:31:52.872816086 CEST	587	49767	50.87.253.110	192.168.2.5	220-box2181.bluehost.com ESMTP Exim 4.95 #2 Wed, 10 Aug 2022 22:31:52 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 11, 2022 06:31:52.873655081 CEST	49767	587	192.168.2.5	50.87.253.110	EHLO 320946
Aug 11, 2022 06:31:53.044276953 CEST	587	49767	50.87.253.110	192.168.2.5	250-box2181.bluehost.com Hello 320946 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 11, 2022 06:31:53.044578075 CEST	49767	587	192.168.2.5	50.87.253.110	STARTTLS
Aug 11, 2022 06:31:53.216497898 CEST	587	49767	50.87.253.110	192.168.2.5	220 TLS go ahead
Aug 11, 2022 06:32:38.903387070 CEST	587	49856	50.87.253.110	192.168.2.5	220-box2181.bluehost.com ESMTP Exim 4.95 #2 Wed, 10 Aug 2022 22:32:38 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 11, 2022 06:32:38.903830051 CEST	49856	587	192.168.2.5	50.87.253.110	EHLO 320946
Aug 11, 2022 06:32:39.074331999 CEST	587	49856	50.87.253.110	192.168.2.5	250-box2181.bluehost.com Hello 320946 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 11, 2022 06:32:39.074683905 CEST	49856	587	192.168.2.5	50.87.253.110	STARTTLS
Aug 11, 2022 06:32:39.246436119 CEST	587	49856	50.87.253.110	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	06:31:13
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe"
Imagebase:	0x810000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.450695772.0000000002F57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: SecuriteInfo.com.W32.AIDetectNet.01.16858.exePID: 5800, Parent PID: 5884

General

Target ID:	6
Start time:	06:31:27
Start date:	11/08/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Imagebase:	0x4f0000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.445181594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.688305990.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: bgnFA.exePID: 2508, Parent PID: 684

General

Target ID:	10
Start time:	06:31:47
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Imagebase:	0xd60000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.539353757.000000000327C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.545607388.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 17%, Virustotal, Browse
Reputation:	low

Analysis Process: bgnFA.exePID: 5312, Parent PID: 684

General

Target ID:	13
Start time:	06:31:58
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe"
Imagebase:	0x9b0000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: bgnFA.exePID: 5936, Parent PID: 2508

General

Target ID:	14
Start time:	06:32:10
Start date:	11/08/2022
Path:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe
Imagebase:	0x9f0000
File size:	1131008 bytes
MD5 hash:	DFE8F6D0B1FB5FB795F5596564ED5A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.687783160.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeKPEkBAWDzqvcYgqMPAoc.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.451298378.0000000003D65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449157978.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449409906.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeKPEkBAWDzqvcYgqMPAoc.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.456163943.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.456312270.0000000008BE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.449669672.0000000002D42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.447804176.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000003.429740069.00000000075D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000002.455944920.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000000.00000000.407309402.0000000000927000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEnumAssembliesFl.exe. vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000003.486008108.0000000005EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEnumAssembliesFl.exe. vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000000.445608917.0000000000436000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeKPEkBAWDzqvcYgqMPAoc.exe4 vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe, 00000006.00000002.672371331.0000000000799000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe
Source: SecuriteInfo.com.W32.AIDetectNet.01.16858.exe	Binary or memory string: OriginalFilenameEnumAssembliesFl.exe. vs SecuriteInfo.com.W32.AIDetectNet.01.16858.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.AIDetectNet.01.16858.8637

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.16858.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bgnFA.exe.log

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe

C:\Users\user\AppData\Roaming\bgnFA\bgnFA.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
SecuriteInfo.com.W32.AIDetectNet.01.16858.8637

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre