Loading ...

Play interactive tourEdit tour

Windows Analysis Report TOP URGENT.exe

Overview

General Information

Sample Name:TOP URGENT.exe
Analysis ID:483922
MD5:3af20ee616d2d9c806d27a3c245d4d7b
SHA1:f4448544d0fd560be3a8c1e6ff46670251785267
SHA256:c810e257ac876cb505d076efee941037f5f9fd11464a4af8515d0fbac61509b1
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TOP URGENT.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\TOP URGENT.exe' MD5: 3AF20EE616D2D9C806D27A3C245D4D7B)
    • MSBuild.exe (PID: 6592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ppc@almuntakhaba.com", "Password": "amite123", "Host": "smtp.almuntakhaba.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.TOP URGENT.exe.3e4d7b0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.TOP URGENT.exe.3e4d7b0.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      Networking:

                      barindex
                      Sigma detected: MSBuild connects to smtp portShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6592, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49820

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\TOP URGENT.exe' , ParentImage: C:\Users\user\Desktop\TOP URGENT.exe, ParentProcessId: 6352, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6592

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ppc@almuntakhaba.com", "Password": "amite123", "Host": "smtp.almuntakhaba.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TOP URGENT.exeReversingLabs: Detection: 15%
                      Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: TOP URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 20.190.160.131:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: TOP URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: l0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+ source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4 source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: lC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbr source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: global trafficTCP traffic: 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.35.237.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://bEdYOo.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.503782526.0000000002D02000.00000004.00000001.sdmpString found in binary or memory: http://q77LAYiewN5yqbw.net
                      Source: MSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.almuntakhaba.com
                      Source: MSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: TOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.almuntakhaba.com
                      Source: unknownHTTPS traffic detected: 20.190.160.131:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: TOP URGENT.exe, 00000000.00000002.244355309.00000000011B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: TOP URGENT.exe, Form1.csLong String: Length: 38272
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.csLong String: Length: 38272
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.csLong String: Length: 38272
                      Source: TOP URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_009F8B540_2_009F8B54
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159E6180_2_0159E618
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159E6080_2_0159E608
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159BC740_2_0159BC74
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D81A100_2_04D81A10
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D803800_2_04D80380
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D805D70_2_04D805D7
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D805F00_2_04D805F0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D845800_2_04D84580
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D806580_2_04D80658
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D806430_2_04D80643
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D800400_2_04D80040
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D800070_2_04D80007
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D803710_2_04D80371
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75CC00_2_08C75CC0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C744D10_2_08C744D1
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75CD00_2_08C75CD0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C744E00_2_08C744E0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C794900_2_08C79490
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C794A00_2_08C794A0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C778500_2_08C77850
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7C4600_2_08C7C460
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C750180_2_08C75018
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C758290_2_08C75829
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C750300_2_08C75030
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C758380_2_08C75838
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7C1900_2_08C7C190
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7AD400_2_08C7AD40
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C799190_2_08C79919
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C77D200_2_08C77D20
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7712A0_2_08C7712A
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C799280_2_08C79928
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C771380_2_08C77138
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5F2F84_2_00B5F2F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5C1984_2_00B5C198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B561794_2_00B56179
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B54B404_2_00B54B40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5F2984_2_00B5F298
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5A6084_2_00B5A608
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B535904_2_00B53590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B529204_2_00B52920
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5D3684_2_00B5D368
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00DF0E084_2_00DF0E08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E168304_2_00E16830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E15AD04_2_00E15AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1E6504_2_00E1E650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1FA104_2_00E1FA10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F4B8C04_2_00F4B8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F460B04_2_00F460B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F428304_2_00F42830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F481A44_2_00F481A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F405904_2_00F40590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280482C4_2_0280482C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280482E4_2_0280482E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280D6C04_2_0280D6C0
                      Source: TOP URGENT.exeBinary or memory string: OriginalFilename vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.244355309.00000000011B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000000.222779716.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRuntimeFeatu.exeh$ vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.249062547.0000000008E50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.244962828.0000000002D97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNuOvAFWSWQdMrKTXvyKfCQZfruIZXIbbF.exe4 vs TOP URGENT.exe
                      Source: TOP URGENT.exeBinary or memory string: OriginalFilenameRuntimeFeatu.exeh$ vs TOP URGENT.exe
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: TOP URGENT.exeReversingLabs: Detection: 15%
                      Source: TOP URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\TOP URGENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\TOP URGENT.exe 'C:\Users\user\Desktop\TOP URGENT.exe'
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\TOP URGENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TOP URGENT.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\TOP URGENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                      Source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+
                      Source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4
                      Source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
                      Source: TOP URGENT.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: TOP URGENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: TOP URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: l0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+ source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4 source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: lC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbr source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: TOP URGENT.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_009F297F push 20000001h; retf 0_2_009F2992
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1B517 push edi; retn 0000h4_2_00E1B519
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1D51B push ebp; iretd 4_2_00E1D559
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1DA85 push edi; ret 4_2_00E1DA86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1D380 pushfd ; retf 4_2_00E1D38D
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54096955911
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      bar