Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TOP URGENT.exe

Overview

General Information

Sample Name:TOP URGENT.exe
Analysis ID:483922
MD5:3af20ee616d2d9c806d27a3c245d4d7b
SHA1:f4448544d0fd560be3a8c1e6ff46670251785267
SHA256:c810e257ac876cb505d076efee941037f5f9fd11464a4af8515d0fbac61509b1
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TOP URGENT.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\TOP URGENT.exe' MD5: 3AF20EE616D2D9C806D27A3C245D4D7B)
    • MSBuild.exe (PID: 6592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ppc@almuntakhaba.com", "Password": "amite123", "Host": "smtp.almuntakhaba.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.TOP URGENT.exe.3e4d7b0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.TOP URGENT.exe.3e4d7b0.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      Networking:

                      barindex
                      Sigma detected: MSBuild connects to smtp portShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6592, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49820

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\TOP URGENT.exe' , ParentImage: C:\Users\user\Desktop\TOP URGENT.exe, ParentProcessId: 6352, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6592

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ppc@almuntakhaba.com", "Password": "amite123", "Host": "smtp.almuntakhaba.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TOP URGENT.exeReversingLabs: Detection: 15%
                      Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: TOP URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 20.190.160.131:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: TOP URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: l0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+ source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4 source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: lC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbr source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: global trafficTCP traffic: 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.35.237.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://bEdYOo.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.503782526.0000000002D02000.00000004.00000001.sdmpString found in binary or memory: http://q77LAYiewN5yqbw.net
                      Source: MSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.almuntakhaba.com
                      Source: MSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: TOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.almuntakhaba.com
                      Source: unknownHTTPS traffic detected: 20.190.160.131:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: TOP URGENT.exe, 00000000.00000002.244355309.00000000011B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: TOP URGENT.exe, Form1.csLong String: Length: 38272
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.csLong String: Length: 38272
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.csLong String: Length: 38272
                      Source: TOP URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_009F8B54
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159E618
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159E608
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159BC74
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D81A10
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D80380
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D805D7
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D805F0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D84580
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D80658
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D80643
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D80040
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D80007
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D80371
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75CC0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C744D1
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75CD0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C744E0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C79490
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C794A0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C77850
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7C460
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75018
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75829
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75030
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75838
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7C190
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7AD40
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C79919
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C77D20
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7712A
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C79928
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C77138
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5F2F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5C198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B56179
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B54B40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5F298
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5A608
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B53590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B52920
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5D368
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00DF0E08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E16830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E15AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1E650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1FA10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F4B8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F460B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F42830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F481A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F40590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280482C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280482E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280D6C0
                      Source: TOP URGENT.exeBinary or memory string: OriginalFilename vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.244355309.00000000011B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000000.222779716.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRuntimeFeatu.exeh$ vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.249062547.0000000008E50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.244962828.0000000002D97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNuOvAFWSWQdMrKTXvyKfCQZfruIZXIbbF.exe4 vs TOP URGENT.exe
                      Source: TOP URGENT.exeBinary or memory string: OriginalFilenameRuntimeFeatu.exeh$ vs TOP URGENT.exe
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: TOP URGENT.exeReversingLabs: Detection: 15%
                      Source: TOP URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\TOP URGENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\TOP URGENT.exe 'C:\Users\user\Desktop\TOP URGENT.exe'
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\TOP URGENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TOP URGENT.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\TOP URGENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                      Source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+
                      Source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4
                      Source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
                      Source: TOP URGENT.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: TOP URGENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: TOP URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: l0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+ source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4 source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: lC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbr source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: TOP URGENT.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_009F297F push 20000001h; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1B517 push edi; retn 0000h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1D51B push ebp; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1DA85 push edi; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1D380 pushfd ; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54096955911
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TOP URGENT.exe PID: 6352, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\TOP URGENT.exe TID: 6356Thread sleep time: -40352s >= -30000s
                      Source: C:\Users\user\Desktop\TOP URGENT.exe TID: 6396Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7132Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7148Thread sleep count: 1286 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7148Thread sleep count: 8566 > 30
                      Source: C:\Users\user\Desktop\TOP URGENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1286
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8566
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeThread delayed: delay time: 40352
                      Source: C:\Users\user\Desktop\TOP URGENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B55598 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8CB008
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Users\user\Desktop\TOP URGENT.exe VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\TOP URGENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TOP URGENT.exe PID: 6352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6592, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6592, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TOP URGENT.exe PID: 6352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6592, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection212File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery221SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion141SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion141DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      TOP URGENT.exe16%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://smtp.almuntakhaba.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://bEdYOo.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://q77LAYiewN5yqbw.net0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.225
                      		truefalse
                        		high
                        smtp.almuntakhaba.com
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.apache.org/licenses/LICENSE-2.0TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                		high
                                http://DynDns.comDynDNSMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/?TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://us2.smtp.mailhostbox.comMSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://smtp.almuntakhaba.comMSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.tiro.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://bEdYOo.comMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designersTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://q77LAYiewN5yqbw.netMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.503782526.0000000002D02000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                              		high
                                              https://api.ipify.org%GETMozilla/5.0MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		low
                                              http://www.fonts.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.ipify.org%MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipTOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.91.199.225
                                                		us2.smtp.mailhostbox.comUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:483922
                                                Start date:15.09.2021
                                                Start time:16:20:28
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 54s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:TOP URGENT.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:28
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@3/2@2/1
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • TCP Packets have been reduced to 100
                                                • Excluded IPs from analysis (whitelisted): 2.20.86.117, 23.35.236.56, 20.82.209.183, 13.107.4.50, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.203.67.116, 23.203.69.124, 20.189.173.22
                                                • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, b1ns.au-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/483922/sample/TOP URGENT.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                16:21:33API Interceptor1x Sleep call for process: TOP URGENT.exe modified
                                                16:21:50API Interceptor675x Sleep call for process: MSBuild.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                208.91.199.225HSBc20210216B1.exeGet hashmaliciousBrowse
                                                  POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                    qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                      S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                        RFQ#MAT#Quotation No. 20077253.exeGet hashmaliciousBrowse
                                                          Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                            PaymentReceipt.docGet hashmaliciousBrowse
                                                              Swift Transfer Copy mt103_PDF.exeGet hashmaliciousBrowse
                                                                SecuriteInfo.com.MachineLearning.Anomalous.94.8891.exeGet hashmaliciousBrowse
                                                                  PURCHASE ORDER 2021.exeGet hashmaliciousBrowse
                                                                    L9d4lSc9LF4Yv1t.exeGet hashmaliciousBrowse
                                                                      P.O_345.exeGet hashmaliciousBrowse
                                                                        revised order-number 3A6.exeGet hashmaliciousBrowse
                                                                          QUOTATION -PDF-SCAN-COPY.exeGet hashmaliciousBrowse
                                                                            Urgent RFQ #2105031.pdf.exeGet hashmaliciousBrowse
                                                                              Listed Items Order.exeGet hashmaliciousBrowse
                                                                                order-2021-PO # 0834.xlsxGet hashmaliciousBrowse
                                                                                  qPlRnI13fW.exeGet hashmaliciousBrowse
                                                                                    PO.exeGet hashmaliciousBrowse
                                                                                      VOn3J2hVHa.exeGet hashmaliciousBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        us2.smtp.mailhostbox.comHSBc20210216B1.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        PO- 45020032 Juv#U00e9l AS.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        48q74tT5IK.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Final Sept Order #0921.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        DHL Express Invoice.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        ee5s192YZ34Ybve.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        sapa list.docGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        RFQ#MAT#Quotation No. 20077253.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        04142021_10RD0207S0N0000,pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        HY19071 PI.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        PO_Contract_ANR07152112_20210715181907__110.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        RFQ-#80986-3580.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Bank swift copy.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        i9fnXDoul7.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        Shipping Doc_968018592077_pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        AWB_968018592077_Invoice_pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143

                                                                                        ASN

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        PUBLIC-DOMAIN-REGISTRYUSHSBc20210216B1.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        PO- 45020032 Juv#U00e9l AS.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Qoutation for Strips.docGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        48q74tT5IK.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        angelzx.exeGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        Final Sept Order #0921.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        PO KV18RE001-A5193.docGet hashmaliciousBrowse
                                                                                        • 199.79.62.16
                                                                                        DHL Express Invoice.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        0zWKZlSOqL.exeGet hashmaliciousBrowse
                                                                                        • 199.79.62.16
                                                                                        ee5s192YZ34Ybve.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Payment advice_103.exeGet hashmaliciousBrowse
                                                                                        • 199.79.62.145
                                                                                        QUOTATION.exeGet hashmaliciousBrowse
                                                                                        • 162.215.249.19
                                                                                        diagram-595.docGet hashmaliciousBrowse
                                                                                        • 116.206.105.115
                                                                                        Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        LJUNGBY QUOTATION.docGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        TPL020321.docGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        sapa list.docGet hashmaliciousBrowse
                                                                                        • 208.91.198.143

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        bd0bf25947d4a37404f0424edf4db9ad4GjwZxgraf.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        hWEV7WHuSm.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        Wire Payment-remittance#.htmlGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        securemessage.htmGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        oGgH8vgU0Z.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        btweb_installer.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        codes.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        r6.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        installer_20f7d5a8ce373.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        eQjZ5OS5m5.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        vape_all_versions.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        script_hack_412.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        DesktopCentralAgent.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        orbi-valorant-injector.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        Agenda1.docxGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        SecuriteInfo.com.BackDoor.Rat.281.18292.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        FragCache Hack v47.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        DesktopCentralAgent.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        eBay-invoice-2195921.vbsGet hashmaliciousBrowse
                                                                                        • 20.190.160.131

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TOP URGENT.exe.log
                                                                                        Process:C:\Users\user\Desktop\TOP URGENT.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1216
                                                                                        Entropy (8bit):5.355304211458859
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Windows\System32\drivers\etc\hosts
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):11
                                                                                        Entropy (8bit):2.663532754804255
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:iLE:iLE
                                                                                        MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                        SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                        SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                        SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: ..127.0.0.1

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.470825518995194
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:TOP URGENT.exe
                                                                                        File size:713216
                                                                                        MD5:3af20ee616d2d9c806d27a3c245d4d7b
                                                                                        SHA1:f4448544d0fd560be3a8c1e6ff46670251785267
                                                                                        SHA256:c810e257ac876cb505d076efee941037f5f9fd11464a4af8515d0fbac61509b1
                                                                                        SHA512:b1e98284ddc4e4ffb2742818e4a38c172d255a6922bd058b29f0fa0071c4564268e7faa967b6de4dc8713f322bf904afb801f58eee17d9d1e240f18f12b920ba
                                                                                        SSDEEP:12288:i7kWHCM2K4CKI/yzQs2TaIpI0iJWRUB1acpCAIWoAdLekQNED0aoV5I:CE3CfMIpI0iJyUBnuW/vcEoaoV5I
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.Aa..............0..r...n........... ........@.. .......................@............@................................

                                                                                        File Icon

                                                                                        Icon Hash:f1f0f4d0eecccc71

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4a90e2
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x6141B258 [Wed Sep 15 08:44:08 2021 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa90900x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x6b90.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xa70e80xa7200False0.825526189697data7.54096955911IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xaa0000x6b900x6c00False0.442672164352data5.09315736514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xb20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0xaa2000x668data
                                                                                        RT_ICON0xaa8780x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953594267, next used block 28725
                                                                                        RT_ICON0xaab700x128GLS_BINARY_LSB_FIRST
                                                                                        RT_ICON0xaaca80xea8data
                                                                                        RT_ICON0xabb600x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                        RT_ICON0xac4180x568GLS_BINARY_LSB_FIRST
                                                                                        RT_ICON0xac9900x25a8data
                                                                                        RT_ICON0xaef480x10a8data
                                                                                        RT_ICON0xb00000x468GLS_BINARY_LSB_FIRST
                                                                                        RT_GROUP_ICON0xb04780x84data
                                                                                        RT_VERSION0xb050c0x484data
                                                                                        RT_MANIFEST0xb09a00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyrightCopyright 2008 - 2010
                                                                                        Assembly Version1.3.0.0
                                                                                        InternalNameRuntimeFeatu.exe
                                                                                        FileVersion1.3.0.0
                                                                                        CompanyNameWHC
                                                                                        LegalTrademarks
                                                                                        CommentsA little Tool where you can check the stats of your RYL - Risk Your Life - characters. Ruins of War version.
                                                                                        ProductNameRYL Character Tool - RoW EU version
                                                                                        ProductVersion1.3.0.0
                                                                                        FileDescriptionRYL Character Tool - RoW EU version
                                                                                        OriginalFilenameRuntimeFeatu.exe

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        09/15/21-16:23:28.117425TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49820587192.168.2.3208.91.199.225

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Sep 15, 2021 16:21:20.070561886 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070636034 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070693016 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070729017 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070776939 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070801973 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070821047 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070857048 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070875883 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070890903 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.087532997 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087594032 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087610960 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087619066 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087630987 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087641954 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087652922 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087673903 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087688923 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087706089 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087718010 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087732077 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087747097 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087755919 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087764025 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087774038 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087783098 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087800980 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087819099 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087832928 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087848902 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087862015 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087876081 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087884903 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087898016 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087912083 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087925911 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087939024 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087953091 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087980986 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087996960 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088011980 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088056087 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088112116 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088134050 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088150024 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088159084 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.088175058 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088249922 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088263035 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088274002 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088288069 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088298082 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088306904 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088345051 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088363886 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088367939 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.088382006 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088395119 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088426113 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088440895 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088454962 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088494062 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088545084 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.162904978 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.163171053 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:22:11.884412050 CEST804967993.184.221.240192.168.2.3
                                                                                        Sep 15, 2021 16:22:11.887134075 CEST4967980192.168.2.393.184.221.240
                                                                                        Sep 15, 2021 16:22:12.025202036 CEST804968593.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:22:12.025355101 CEST4968580192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:22:12.230607986 CEST804968093.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:22:12.230798960 CEST4968080192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:22:13.972676992 CEST49692443192.168.2.323.35.237.194
                                                                                        Sep 15, 2021 16:22:13.973058939 CEST4969380192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:02.268676996 CEST4968380192.168.2.323.55.161.160
                                                                                        Sep 15, 2021 16:23:02.269232988 CEST49696443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269351006 CEST49684443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269519091 CEST49686443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269521952 CEST49697443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269678116 CEST4968580192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:02.286824942 CEST804968593.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.286956072 CEST4968580192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:02.288193941 CEST804968323.55.161.160192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.288337946 CEST4968380192.168.2.323.55.161.160
                                                                                        Sep 15, 2021 16:23:02.296071053 CEST4434968420.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296262980 CEST4434969620.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296268940 CEST49684443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.296366930 CEST49696443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.296528101 CEST4434969720.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296561003 CEST4434968620.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296644926 CEST49697443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.296674967 CEST49686443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:13.327773094 CEST804967993.184.221.240192.168.2.3
                                                                                        Sep 15, 2021 16:23:13.327915907 CEST4967980192.168.2.393.184.221.240
                                                                                        Sep 15, 2021 16:23:13.670583963 CEST804968093.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:23:13.670836926 CEST4968080192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:18.473272085 CEST4434968813.107.5.88192.168.2.3
                                                                                        Sep 15, 2021 16:23:18.854533911 CEST4434968713.107.5.88192.168.2.3
                                                                                        Sep 15, 2021 16:23:25.149704933 CEST804967993.184.221.240192.168.2.3
                                                                                        Sep 15, 2021 16:23:25.149786949 CEST4967980192.168.2.393.184.221.240

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Sep 15, 2021 16:21:20.096689939 CEST4919953192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:21:20.124217987 CEST53491998.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:21:47.040812016 CEST5062053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:21:47.074423075 CEST53506208.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:21:51.606087923 CEST6493853192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:21:51.648720980 CEST53649388.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:11.233793020 CEST6015253192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:11.263304949 CEST53601528.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:15.378138065 CEST5754453192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:15.426013947 CEST53575448.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:15.970870018 CEST5598453192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:16.034604073 CEST53559848.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:16.439515114 CEST6418553192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:16.478993893 CEST53641858.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:16.630362034 CEST6511053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:16.672513962 CEST53651108.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:17.044680119 CEST5836153192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:17.074934006 CEST53583618.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:17.872251034 CEST6349253192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:17.938774109 CEST53634928.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:18.407995939 CEST6083153192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:18.443593979 CEST53608318.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:19.324203968 CEST6010053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:19.356739998 CEST53601008.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:23.629121065 CEST5319553192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:23.686892986 CEST53531958.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:24.720407963 CEST5014153192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:24.748224974 CEST53501418.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:25.180646896 CEST5302353192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:25.212660074 CEST53530238.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:29.705743074 CEST4956353192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:29.768616915 CEST53495638.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:07.324898958 CEST5135253192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:07.325835943 CEST5934953192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:07.354120970 CEST53593498.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:07.356059074 CEST53513528.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:10.119277954 CEST5708453192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:10.181714058 CEST53570848.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:12.529038906 CEST5882353192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:12.570007086 CEST53588238.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:26.026834011 CEST5756853192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST53575688.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:26.557805061 CEST5054053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST53505408.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.858225107 CEST5436653192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:35.883734941 CEST53543668.8.8.8192.168.2.3

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Sep 15, 2021 16:23:26.026834011 CEST192.168.2.38.8.8.80x5147Standard query (0)smtp.almuntakhaba.comA (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.557805061 CEST192.168.2.38.8.8.80xd737Standard query (0)smtp.almuntakhaba.comA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)smtp.almuntakhaba.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)smtp.almuntakhaba.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                                                        SMTP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                        Sep 15, 2021 16:23:27.243478060 CEST58749820208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                        Sep 15, 2021 16:23:27.244544983 CEST49820587192.168.2.3208.91.199.225EHLO 928100
                                                                                        Sep 15, 2021 16:23:27.388012886 CEST58749820208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                        250-PIPELINING
                                                                                        250-SIZE 41648128
                                                                                        250-VRFY
                                                                                        250-ETRN
                                                                                        250-STARTTLS
                                                                                        250-AUTH PLAIN LOGIN
                                                                                        250-AUTH=PLAIN LOGIN
                                                                                        250-ENHANCEDSTATUSCODES
                                                                                        250-8BITMIME
                                                                                        250 DSN
                                                                                        Sep 15, 2021 16:23:27.389497042 CEST49820587192.168.2.3208.91.199.225AUTH login cHBjQGFsbXVudGFraGFiYS5jb20=
                                                                                        Sep 15, 2021 16:23:27.533042908 CEST58749820208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                                                        Sep 15, 2021 16:23:27.678124905 CEST58749820208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                                                        Sep 15, 2021 16:23:27.679183006 CEST49820587192.168.2.3208.91.199.225MAIL FROM:<ppc@almuntakhaba.com>
                                                                                        Sep 15, 2021 16:23:27.822444916 CEST58749820208.91.199.225192.168.2.3250 2.1.0 Ok
                                                                                        Sep 15, 2021 16:23:27.822858095 CEST49820587192.168.2.3208.91.199.225RCPT TO:<ppc@almuntakhaba.com>
                                                                                        Sep 15, 2021 16:23:27.972619057 CEST58749820208.91.199.225192.168.2.3250 2.1.5 Ok
                                                                                        Sep 15, 2021 16:23:27.973043919 CEST49820587192.168.2.3208.91.199.225DATA
                                                                                        Sep 15, 2021 16:23:28.116139889 CEST58749820208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                        Sep 15, 2021 16:23:28.118664980 CEST49820587192.168.2.3208.91.199.225.
                                                                                        Sep 15, 2021 16:23:28.321346998 CEST58749820208.91.199.225192.168.2.3250 2.0.0 Ok: queued as DBF7FD96D1

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        Analysis Process: TOP URGENT.exe PID: 6352 Parent PID: 5424

                                                                                        General

                                                                                        Start time:16:21:25
                                                                                        Start date:15/09/2021
                                                                                        Path:C:\Users\user\Desktop\TOP URGENT.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\TOP URGENT.exe'
                                                                                        Imagebase:0x9f0000
                                                                                        File size:713216 bytes
                                                                                        MD5 hash:3AF20EE616D2D9C806D27A3C245D4D7B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        Reputation:low

                                                                                        Analysis Process: MSBuild.exe PID: 6592 Parent PID: 6352

                                                                                        General

                                                                                        Start time:16:21:35
                                                                                        Start date:15/09/2021
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                        Imagebase:0x690000
                                                                                        File size:261728 bytes
                                                                                        MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        Reputation:high

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >