Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Raeue.exe

Overview

General Information

Sample Name:Raeue.exe
Analysis ID:626539
MD5:47d09683fc102a85a7dea2516ca81fa3
SHA1:f64cc824abd8804458c3f31f06c16d0bec9338dd
SHA256:848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: MSBuild connects to smtp port
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Raeue.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\Raeue.exe" MD5: 47D09683FC102A85A7DEA2516CA81FA3)
    • cmd.exe (PID: 7028 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7076 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 7120 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7164 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 5812 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5260 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 5228 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6384 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6436 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6476 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 2972 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 2948 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4756 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4592 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4180 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6292 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6944 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6632 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6000 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7064 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6796 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6296 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4052 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6464 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6484 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5704 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 1532 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4856 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6584 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6516 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 5756 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6396 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 3036 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6488 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6576 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7056 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6472 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6328 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6052 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6356 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • MSBuild.exe (PID: 4788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • Tyovqojh.exe (PID: 412 cmdline: "C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe" MD5: 47D09683FC102A85A7DEA2516CA81FA3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@metalindus.cl", "Password": "metalindus_2019", "Host": "mail.metalindus.cl"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Raeue.exeTypical_Malware_String_TransformsDetects typical strings in a reversed or otherwise modified formFlorian Roth
  • 0x44348:$i2: sserddAcorPteG
  • 0x44413:$i3: AyrarbiLdaoL

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeTypical_Malware_String_TransformsDetects typical strings in a reversed or otherwise modified formFlorian Roth
  • 0x44348:$i2: sserddAcorPteG
  • 0x44413:$i3: AyrarbiLdaoL

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000004F.00000002.479898674.0000000003A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000004F.00000002.479898674.0000000003A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000004C.00000000.368773514.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000004C.00000000.368773514.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.382727411.0000000003F92000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            79.0.Tyovqojh.exe.5b0000.0.unpackTypical_Malware_String_TransformsDetects typical strings in a reversed or otherwise modified formFlorian Roth
            • 0x44348:$i2: sserddAcorPteG
            • 0x44413:$i3: AyrarbiLdaoL
            0.2.Raeue.exe.910000.0.unpackTypical_Malware_String_TransformsDetects typical strings in a reversed or otherwise modified formFlorian Roth
            • 0x44348:$i2: sserddAcorPteG
            • 0x44413:$i3: AyrarbiLdaoL
            79.2.Tyovqojh.exe.5b0000.0.unpackTypical_Malware_String_TransformsDetects typical strings in a reversed or otherwise modified formFlorian Roth
            • 0x44348:$i2: sserddAcorPteG
            • 0x44413:$i3: AyrarbiLdaoL
            0.2.Raeue.exe.3f92930.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Raeue.exe.3f92930.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                Click to see the 29 entries

                Sigma Signatures

                Networking

                barindex
                Sigma detected: MSBuild connects to smtp port
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 216.246.112.22, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4788, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49781

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 76.0.MSBuild.exe.400000.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@metalindus.cl", "Password": "metalindus_2019", "Host": "mail.metalindus.cl"}
                Multi AV Scanner detection for submitted file
                Source: Raeue.exeVirustotal: Detection: 30%Perma Link
                Source: Raeue.exeReversingLabs: Detection: 34%
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeReversingLabs: Detection: 34%
                Machine Learning detection for sample
                Source: Raeue.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeJoe Sandbox ML: detected
                Source: 76.0.MSBuild.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                Source: 79.2.Tyovqojh.exe.5b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                Source: 76.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.Raeue.exe.910000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                Source: 79.0.Tyovqojh.exe.5b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                Source: 76.0.MSBuild.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                Source: 76.0.MSBuild.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                Source: 76.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.0.Raeue.exe.910000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                Source: 76.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                Source: Raeue.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Raeue.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.dr
                Source: Binary string: protobuf-net.pdbSHA256 source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.dr
                Source: Binary string: protobuf-net.pdb source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then jmp 05CC6880h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then jmp 05CC6880h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 4x nop then jmp 029F6880h
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                Source: Joe Sandbox ViewASN Name: SERVERCENTRALUS SERVERCENTRALUS
                Source: global trafficTCP traffic: 192.168.2.3:49781 -> 216.246.112.22:587
                Source: global trafficTCP traffic: 192.168.2.3:49781 -> 216.246.112.22:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.143
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.143
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.143
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
                Source: unknownTCP traffic detected without corresponding DNS query: 95.140.230.128
                Source: unknownTCP traffic detected without corresponding DNS query: 23.201.249.71
                Source: unknownTCP traffic detected without corresponding DNS query: 23.201.249.71
                Source: MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469905610.0000000006368000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469905610.0000000006368000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469905610.0000000006368000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                Source: MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.comodoca
                Source: MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468687746.000000000326D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.metalindus.cl
                Source: MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468687746.000000000326D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://metalindus.cl
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469905610.0000000006368000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: MSBuild.exe, 0000004C.00000002.468636703.0000000003253000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468627879.000000000324B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468568665.0000000003221000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468409660.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pz3rRFNMLjA.org
                Source: MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rfQUKE.com
                Source: MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                Source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                Source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                Source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469905610.0000000006368000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481446949.00000000076C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                Source: MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: mail.metalindus.cl

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_053C1180 SetWindowsHookExW 0000000D,00000000,?,?
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: cmd.exeProcess created: 40

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Raeue.exe.3f92930.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 76.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 79.2.Tyovqojh.exe.3c32930.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.Raeue.exe.3f92930.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 76.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 76.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 76.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 79.2.Tyovqojh.exe.3c32930.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 76.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 76.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                .NET source code contains very large array initializations
                Source: 76.0.MSBuild.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b82BB9DA8u002dA73Bu002d45B7u002dB88Eu002d2F7E25EC666Cu007d/u00353F91F61u002d6C41u002d4B18u002dA631u002d88B40D8EBF1D.csLarge array initialization: .cctor: array initializer size 11625
                Source: 76.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b82BB9DA8u002dA73Bu002d45B7u002dB88Eu002d2F7E25EC666Cu007d/u00353F91F61u002d6C41u002d4B18u002dA631u002d88B40D8EBF1D.csLarge array initialization: .cctor: array initializer size 11625
                Source: 76.0.MSBuild.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b82BB9DA8u002dA73Bu002d45B7u002dB88Eu002d2F7E25EC666Cu007d/u00353F91F61u002d6C41u002d4B18u002dA631u002d88B40D8EBF1D.csLarge array initialization: .cctor: array initializer size 11625
                Source: 76.0.MSBuild.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b82BB9DA8u002dA73Bu002d45B7u002dB88Eu002d2F7E25EC666Cu007d/u00353F91F61u002d6C41u002d4B18u002dA631u002d88B40D8EBF1D.csLarge array initialization: .cctor: array initializer size 11625
                Source: 76.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b82BB9DA8u002dA73Bu002d45B7u002dB88Eu002d2F7E25EC666Cu007d/u00353F91F61u002d6C41u002d4B18u002dA631u002d88B40D8EBF1D.csLarge array initialization: .cctor: array initializer size 11625
                Source: 76.0.MSBuild.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b82BB9DA8u002dA73Bu002d45B7u002dB88Eu002d2F7E25EC666Cu007d/u00353F91F61u002d6C41u002d4B18u002dA631u002d88B40D8EBF1D.csLarge array initialization: .cctor: array initializer size 11625
                Source: Raeue.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Raeue.exe, type: SAMPLEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                Source: 79.0.Tyovqojh.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                Source: 0.2.Raeue.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                Source: 79.2.Tyovqojh.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                Source: 0.2.Raeue.exe.3f92930.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 76.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 79.2.Tyovqojh.exe.3c32930.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.Raeue.exe.3f92930.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 76.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 76.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 76.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 79.2.Tyovqojh.exe.3c32930.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 76.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 76.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.0.Raeue.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe, type: DROPPEDMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_00912053
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_010E4760
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB65C0
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB57D0
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB21BF
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB5020
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB8B20
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB24F8
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB32B0
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CCA7CA
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CC3E80
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05C90CB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_053C9F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0663E520
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0663CAA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06636BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06639660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06639CB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06633330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D3205
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067DA058
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D60B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067DFE39
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067DAEA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D0B18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067DA052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D7FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D0AB4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06899E60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06897CE4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06893518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0689B880
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0689B78F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06892420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0689C550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06894AB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06894B58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06890007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06890040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0689B87E
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_005B2053
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E8B20
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E500F
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E21C8
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E6620
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E57D0
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E3248
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E68B9
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E24F8
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029F96E2
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029F3C30
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_02980CB8
                Source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Raeue.exe
                Source: Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.371397963.0000000002C70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEsbcjhcyagovrgzw.dll" vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.382727411.0000000003F92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdplJoeydtuRjWuMIoQUkqgMzvbzvdaYj.exe4 vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.392262355.0000000007BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdplJoeydtuRjWuMIoQUkqgMzvbzvdaYj.exe4 vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.392911248.0000000007BD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.384143925.0000000007871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs Raeue.exe
                Source: Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Raeue.exe
                Source: Raeue.exe, 00000000.00000002.380956103.0000000003DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdplJoeydtuRjWuMIoQUkqgMzvbzvdaYj.exe4 vs Raeue.exe
                Source: Raeue.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Tyovqojh.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: microsoft.exe.76.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: microsoft.exe.76.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: microsoft.exe.76.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Raeue.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: Tyovqojh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: Raeue.exeVirustotal: Detection: 30%
                Source: Raeue.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\Desktop\Raeue.exeFile read: C:\Users\user\Desktop\Raeue.exeJump to behavior
                Source: Raeue.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Raeue.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\Raeue.exe "C:\Users\user\Desktop\Raeue.exe"
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe "C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe"
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\Raeue.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Raeue.exeFile created: C:\Users\user\AppData\Roaming\IqbhgoJump to behavior
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@124/6@8/2
                Source: C:\Users\user\Desktop\Raeue.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: microsoft.exe.76.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                Source: microsoft.exe.76.dr, Microsoft.Build/Shared/TaskLoader.csTask registration methods: 'CreateTask'
                Source: microsoft.exe.76.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                Source: microsoft.exe.76.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                Source: microsoft.exe.76.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: microsoft.exe.76.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: microsoft.exe.76.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: microsoft.exe.76.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
                Source: microsoft.exe.76.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
                Source: C:\Users\user\Desktop\Raeue.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: *.sln
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: /ignoreprojectextensions:.sln
                Source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                Source: 76.0.MSBuild.exe.400000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 76.0.MSBuild.exe.400000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 76.2.MSBuild.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 76.2.MSBuild.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 76.0.MSBuild.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 76.0.MSBuild.exe.400000.3.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Raeue.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Raeue.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Raeue.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Raeue.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.dr
                Source: Binary string: protobuf-net.pdbSHA256 source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000004C.00000003.372911031.0000000006317000.00000004.00000800.00020000.00000000.sdmp, microsoft.exe.76.dr
                Source: Binary string: protobuf-net.pdb source: Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: Raeue.exe, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: Tyovqojh.exe.0.dr, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Raeue.exe.910000.0.unpack, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.Raeue.exe.910000.0.unpack, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 79.2.Tyovqojh.exe.5b0000.0.unpack, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 79.0.Tyovqojh.exe.5b0000.0.unpack, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_00912643 push es; ret
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_00956BA6 pushfd ; retn 007Eh
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_010E2B53 pushfd ; iretd
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_010E53AE push esp; iretd
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_010E2403 pushad ; iretd
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_010E1C63 push ebx; iretd
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB81D0 pushfd ; retf 0005h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CBC953 push eax; ret
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB38E8 pushad ; retf 0005h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB38E1 pushad ; retf 0005h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB3849 pushad ; retf 0005h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB3871 pushad ; retf 0005h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CB3820 pushad ; retf 0005h
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CBC379 push dword ptr [esp+edi-75h]; iretd
                Source: C:\Users\user\Desktop\Raeue.exeCode function: 0_2_05CC8B32 push 37ECB990h; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06632177 push edi; retn 0000h
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_06632CBF push esp; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_066318C3 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0663190F push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D9F62 pushfd ; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D9F5A push esp; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067D9F12 pushad ; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_067DFCE4 push eax; iretd
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_005B2643 push es; ret
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_005F6BA6 pushfd ; retn 007Eh
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E7213 push FFFFFF8Bh; iretd
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E70D9 push FFFFFF8Bh; ret
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeCode function: 79_2_029E70EB push FFFFFF8Bh; iretd
                Source: Raeue.exeStatic PE information: 0x9C37093F [Sat Jan 18 22:35:43 2053 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.52419685998
                Source: initial sampleStatic PE information: section name: .text entropy: 7.52419685998
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\microsoft.exeJump to dropped file
                Source: C:\Users\user\Desktop\Raeue.exeFile created: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeJump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft
                Source: C:\Users\user\Desktop\Raeue.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TyovqojhJump to behavior
                Source: C:\Users\user\Desktop\Raeue.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TyovqojhJump to behavior
                Source: C:\Users\user\Desktop\Raeue.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run TyovqojhJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\microsoft\microsoft.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Raeue.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\Raeue.exe TID: 6996Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4652Thread sleep time: -16602069666338586s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6456Thread sleep count: 5332 > 30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6456Thread sleep count: 3339 > 30
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe TID: 5020Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Raeue.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5332
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3339
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Raeue.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Raeue.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeThread delayed: delay time: 922337203685477
                Source: MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Raeue.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 76_2_0663B7E0 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\Raeue.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Raeue.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                Source: C:\Users\user\Desktop\Raeue.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                Source: C:\Users\user\Desktop\Raeue.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 436000
                Source: C:\Users\user\Desktop\Raeue.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000
                Source: C:\Users\user\Desktop\Raeue.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D3B008
                .NET source code references suspicious native API functions
                Source: microsoft.exe.76.dr, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                Source: 76.0.MSBuild.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 76.2.MSBuild.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 76.0.MSBuild.exe.400000.3.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 76.0.MSBuild.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 76.0.MSBuild.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 76.0.MSBuild.exe.400000.1.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Raeue.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeMemory written: unknown base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 1
                Source: C:\Users\user\Desktop\Raeue.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeProcess created: unknown unknown
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br>XV
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br>
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468665458.0000000003269000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br><font color="#00ba66">{Win}</font>r
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br>
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br><font color="#00ba66">{Win}</font>
                Source: MSBuild.exe, 0000004C.00000002.468750109.00000000032EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(05/14/2022 12:30:18)</font></font><br>
                Source: MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
                Source: MSBuild.exe, 0000004C.00000002.468750109.00000000032EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(05/14/2022 12:20:10)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(05/14/2022 12:30:18)</font></font><br>r
                Source: C:\Users\user\Desktop\Raeue.exeQueries volume information: C:\Users\user\Desktop\Raeue.exe VolumeInformation
                Source: C:\Users\user\Desktop\Raeue.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\Desktop\Raeue.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Raeue.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Raeue.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeQueries volume information: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Raeue.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.Raeue.exe.3f92930.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 79.2.Tyovqojh.exe.3c32930.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Raeue.exe.3f92930.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 79.2.Tyovqojh.exe.3c32930.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000004F.00000002.479898674.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.368773514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.382727411.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.368417395.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.367740613.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.368074941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000002.464873991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.480513797.0000000003C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.380956103.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.481850600.0000000007A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Raeue.exe PID: 6964, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4788, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Tyovqojh.exe PID: 412, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4788, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.Raeue.exe.3f92930.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 79.2.Tyovqojh.exe.3c32930.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Raeue.exe.3f92930.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 79.2.Tyovqojh.exe.3c32930.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 76.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000004F.00000002.479898674.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.368773514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.382727411.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.368417395.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.367740613.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000000.368074941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000002.464873991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.480513797.0000000003C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.380956103.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004F.00000002.481850600.0000000007A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Raeue.exe PID: 6964, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4788, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Tyovqojh.exe PID: 412, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		212
                Process Injection                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium12
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Native API                		11
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		114
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts1
                Scheduled Task/Job                		Logon Script (Windows)11
                Registry Run Keys / Startup Folder                		3
                Obfuscated Files or Information                		1
                Credentials in Registry                		1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                Software Packing                		NTDS211
                Security Software Discovery                		Distributed Component Object Model21
                Input Capture                		Scheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets2
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Masquerading                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                Virtualization/Sandbox Evasion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job212
                Process Injection                		Proc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                Hidden Files and Directories                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626539 Sample: Raeue.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 50 metalindus.cl 2->50 52 mail.metalindus.cl 2->52 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 6 other signatures 2->74 8 Raeue.exe 1 5 2->8         started        13 Tyovqojh.exe 2->13         started        signatures3 process4 dnsIp5 54 192.168.2.1 unknown unknown 8->54 44 C:\Users\user\AppData\...\Tyovqojh.exe, PE32 8->44 dropped 46 C:\Users\...\Tyovqojh.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\AppData\Local\...\Raeue.exe.log, ASCII 8->48 dropped 76 Creates multiple autostart registry keys 8->76 78 Writes to foreign memory regions 8->78 80 Injects a PE file into a foreign processes 8->80 15 MSBuild.exe 8->15         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        24 18 other processes 8->24 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 file6 signatures7 process8 dnsIp9 56 metalindus.cl 216.246.112.22, 49781, 49792, 49839 SERVERCENTRALUS United States 15->56 58 mail.metalindus.cl 15->58 42 C:\Users\user\AppData\...\microsoft.exe, PE32 15->42 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->62 64 Tries to steal Mail credentials (via file / registry access) 15->64 66 7 other signatures 15->66 26 conhost.exe 20->26         started        28 timeout.exe 1 20->28         started        30 conhost.exe 22->30         started        32 timeout.exe 1 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 conhost.exe 24->38         started        40 33 other processes 24->40 file10 signatures11 process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Raeue.exe31%VirustotalBrowse
                Raeue.exe34%ReversingLabsByteCode-MSIL.Downloader.Seraph
                Raeue.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe34%ReversingLabsByteCode-MSIL.Downloader.Seraph
                C:\Users\user\AppData\Roaming\Microsoft\microsoft.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\Microsoft\microsoft.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                76.0.MSBuild.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                79.2.Tyovqojh.exe.5b0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                76.2.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                0.2.Raeue.exe.910000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                79.0.Tyovqojh.exe.5b0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                76.0.MSBuild.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                76.0.MSBuild.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                76.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                0.0.Raeue.exe.910000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                76.0.MSBuild.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                metalindus.cl0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://mail.metalindus.cl0%Avira URL Cloudsafe
                https://api.ipify.org%appdata0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://pz3rRFNMLjA.org0%Avira URL Cloudsafe
                http://rfQUKE.com0%Avira URL Cloudsafe
                https://api.ipify.org%0%URL Reputationsafe
                http://crt.comodoca0%Avira URL Cloudsafe
                http://metalindus.cl0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                metalindus.cl
                		216.246.112.22
                		truetrueunknown
                mail.metalindus.cl
                		unknown
                		unknowntrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  https://sectigo.com/CPS0MSBuild.exe, 0000004C.00000002.468702711.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000003.406287361.0000000006324000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469905610.0000000006368000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/mgravell/protobuf-netiRaeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpfalse
                    		high
                    https://stackoverflow.com/q/14436606/23354Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481446949.00000000076C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/mgravell/protobuf-netJRaeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpfalse
                        		high
                        http://mail.metalindus.clMSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468687746.000000000326D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.org%appdataMSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        https://stackoverflow.com/q/11564914/23354;Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/2152978/23354Raeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwMSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiMSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/mgravell/protobuf-netRaeue.exe, 00000000.00000002.383484734.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Raeue.exe, 00000000.00000003.364931995.0000000004047000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000003.364871019.0000000003FB3000.00000004.00000800.00020000.00000000.sdmp, Raeue.exe, 00000000.00000002.396837651.0000000007E0C000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459692423.0000000003C53000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000003.459793124.0000000003CE7000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.482201276.0000000007C5D000.00000004.00000800.00020000.00000000.sdmp, Tyovqojh.exe, 0000004F.00000002.481284902.0000000005B90000.00000004.08000000.00040000.00000000.sdmpfalse
                              		high
                              http://pz3rRFNMLjA.orgMSBuild.exe, 0000004C.00000002.468636703.0000000003253000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468627879.000000000324B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468568665.0000000003221000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468409660.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://rfQUKE.comMSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.org%MSBuild.exe, 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		low
                              http://crt.comodocaMSBuild.exe, 0000004C.00000002.469702419.00000000062F0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://metalindus.clMSBuild.exe, 0000004C.00000002.468588154.0000000003227000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000004C.00000002.468687746.000000000326D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              216.246.112.22
                              		metalindus.clUnited States
                              		23352SERVERCENTRALUStrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:626539
                              Start date and time: 14/05/202211:39:312022-05-14 11:39:31 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 11m 7s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:Raeue.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:80
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.spre.troj.spyw.evad.winEXE@124/6@8/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 0.4% (good quality ratio 0.2%)
                              • Quality average: 45.4%
                              • Quality standard deviation: 43.2%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Adjust boot time
                              • Enable AMSI

                              Warnings

                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
                              • TCP Packets have been reduced to 100
                              • Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.6.115, 40.126.31.68, 20.190.159.70, 20.190.159.22, 40.126.31.64, 20.190.159.3, 20.190.159.74, 20.190.159.72, 40.126.31.70, 20.49.150.241, 23.211.4.86, 20.190.159.5, 20.190.159.1, 40.126.31.72, 20.199.120.182, 173.222.108.226, 173.222.108.210, 20.199.120.85, 20.199.120.151, 80.67.82.235, 80.67.82.211, 20.54.89.106, 40.125.122.176, 20.223.24.244, 40.112.88.60
                              • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, setti
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              11:41:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tyovqojh "C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe"
                              11:41:33API Interceptor270x Sleep call for process: MSBuild.exe modified
                              11:41:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run microsoft C:\Users\user\AppData\Roaming\microsoft\microsoft.exe
                              11:41:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Tyovqojh "C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe"
                              11:41:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run microsoft C:\Users\user\AppData\Roaming\microsoft\microsoft.exe

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Raeue.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\Raeue.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1213
                              Entropy (8bit):5.346387745306316
                              Encrypted:false
                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7QJE4jE4Kx1qE4FsXE4j:MxHKXwYHKhQnoPtHoxHhAHKzvQJHjHKh
                              MD5:F4C7B39CFF5A2F242F694D97216F9E9C
                              SHA1:3905274915EFA33D4BAC01AE14829AAA5C5C044C
                              SHA-256:E300E29CDE7B77AADAD24A0157E5252EF754E842D21291AAE34D891E4DB15456
                              SHA-512:D7BD11A51D5EB2FC93D252780559E010610AF4F2898D14565141CBBF12FBD52B76C9C61A255C2CC211AF0E216F6251BC0515FADB0A7DDB6329449625D80C1BDB
                              Malicious:true
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publ

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tyovqojh.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1121
                              Entropy (8bit):5.353852130793033
                              Encrypted:false
                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7QJE4jE4Kx1qE4j:MxHKXwYHKhQnoPtHoxHhAHKzvQJHjHKg
                              MD5:91F948D29B57F0086ED4AB9F8447B315
                              SHA1:632D82F2FC4181137657F593BB7850A9F01A3EF3
                              SHA-256:8D5276512C4BC5AA67979A8CC3CB3441DD9B837CA821037D49ECBF03CAE1B983
                              SHA-512:56D1FD69A3572E124DFB28E0C01A90920F7EE7993A975AE3716EEE9A800FE6A52F060770372078ADA64F810F2AC9B4FCF4F17663B8F67A9C601EC1FBB9AD616A
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publ

                              C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe

                              Download File
                              Process:C:\Users\user\Desktop\Raeue.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):778752
                              Entropy (8bit):6.2529606578734045
                              Encrypted:false
                              SSDEEP:12288:Ro7VntzJOQX040txZp8sNx2HExIWtWrnngnnnKnanxNY:u104SgWtWrnngnnnKnanxN
                              MD5:47D09683FC102A85A7DEA2516CA81FA3
                              SHA1:F64CC824ABD8804458C3F31F06C16D0BEC9338DD
                              SHA-256:848CE511DAF9046AB1AB3BED080D5C20BDEB3FD0BEBC016FC3AF70B892EBB5C9
                              SHA-512:ECCFF33ADE27412BE147D7F792EC150F79F0FBA322CBF4A2BEFB46F615A71C578BD15C324C579FDBB9C377F221679CF4A04575C9F8F4814841346A244E80A2A6
                              Malicious:true
                              Yara Hits:
                              • Rule: Typical_Malware_String_Transforms, Description: Detects typical strings in a reversed or otherwise modified form, Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe, Author: Florian Roth
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 34%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.7...............0..r...n......Z.... ........@.. .......................@............@.....................................O.......\j................... ...................................................... ............... ..H............text...`q... ...r.................. ..`.rsrc...\j.......l...t..............@..@.reloc....... ......................@..B................<.......H........$..\............5...Z..........................................6.s....(.....*".(.....*..0..6........s.......i.+.......o.......%.Y......-..o....(...+.+..*...0..u........s.......o.....s...... .....'....+.......o...........io....%.........-..o.......!.,..o.......,..o.......,..o........*....(......<Q..........M\..........`g.......0............(....(.....+..*".(.....*...0..4.........(.....s....(....( .....o!...o"........,...+...+..*.0..k........s#.....(......,R..($...o%..

                              C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\Raeue.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\Users\user\AppData\Roaming\Microsoft\microsoft.exe

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):261728
                              Entropy (8bit):6.1750840449797675
                              Encrypted:false
                              SSDEEP:3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
                              MD5:D621FD77BD585874F9686D3A76462EF1
                              SHA1:ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
                              SHA-256:2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                              SHA-512:2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................|.........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....

                              C:\Users\user\AppData\Roaming\gxhyyeyp.j44\Chrome\Default\Cookies

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.6970840431455908
                              Encrypted:false
                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                              MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                              SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                              SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                              SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):6.2529606578734045
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:Raeue.exe
                              File size:778752
                              MD5:47d09683fc102a85a7dea2516ca81fa3
                              SHA1:f64cc824abd8804458c3f31f06c16d0bec9338dd
                              SHA256:848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9
                              SHA512:eccff33ade27412be147d7f792ec150f79f0fba322cbf4a2befb46f615a71c578bd15c324c579fdbb9c377f221679cf4a04575c9f8f4814841346a244e80a2a6
                              SSDEEP:12288:Ro7VntzJOQX040txZp8sNx2HExIWtWrnngnnnKnanxNY:u104SgWtWrnngnnnKnanxN
                              TLSH:AFF46CA1E9534828C9245739BAB352B02DB9EC70C517E37267607EEBF037B20AD75172
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.7...............0..r...n......Z.... ........@.. .......................@............@................................

                              File Icon

                              Icon Hash:71f094cef0f03082

                              Static PE Info

                              General

                              Entrypoint:0x46915a
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x9C37093F [Sat Jan 18 22:35:43 2053 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x691080x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x56a5c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x690ec0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x671600x67200False0.784997632576data7.52419685998IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x6a0000x56a5c0x56c00False0.0990662148775data4.07481812029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x6a1800x42028dBase III DBT, version number 0, next free block index 40
                              RT_ICON0xac1b80x10828dBase III DBT, version number 0, next free block index 40
                              RT_ICON0xbc9f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                              RT_ICON0xbefa80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                              RT_ICON0xc00600x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0xc04d80x4cdata
                              RT_VERSION0xc05340x328data
                              RT_MANIFEST0xc086c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyright
                              Assembly Version0.0.0.1
                              InternalNameRaeue.exe
                              FileVersion0.0.0.1
                              CompanyName
                              LegalTrademarks
                              CommentsNeonDS public version
                              ProductNameNeonDS
                              ProductVersion0.0.0.1
                              FileDescriptionNeonDS public version
                              OriginalFilenameRaeue.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 14, 2022 11:40:27.247693062 CEST49695443192.168.2.340.126.31.143
                              May 14, 2022 11:40:27.794401884 CEST49698443192.168.2.340.126.31.143
                              May 14, 2022 11:40:27.967834949 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.967905045 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.967957020 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.967995882 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.968034029 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.968060017 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.968075037 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.968097925 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.968111038 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.968125105 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.984200001 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984245062 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984272003 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984301090 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984329939 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984359026 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984390974 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984417915 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984447002 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984472990 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984534979 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984570980 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984596014 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984646082 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984677076 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984705925 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984734058 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984823942 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984852076 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984931946 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984941006 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.984965086 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.984993935 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985022068 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985050917 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985079050 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985157013 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985184908 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985253096 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985282898 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985307932 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985388041 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985418081 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985445976 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985471964 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985547066 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985598087 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985625982 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985676050 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985707045 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985754967 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985780001 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:27.985829115 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985856056 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985918045 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985946894 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.985977888 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986005068 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986085892 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986115932 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986145020 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986172915 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986202002 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986229897 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986275911 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:27.986355066 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:28.029622078 CEST44349691204.79.197.200192.168.2.3
                              May 14, 2022 11:40:28.029700994 CEST49691443192.168.2.3204.79.197.200
                              May 14, 2022 11:40:28.107018948 CEST49706443192.168.2.340.126.31.143
                              May 14, 2022 11:40:38.360152960 CEST49747443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.360208035 CEST4434974740.126.31.4192.168.2.3
                              May 14, 2022 11:40:38.360301018 CEST49747443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.363143921 CEST49747443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.363169909 CEST4434974740.126.31.4192.168.2.3
                              May 14, 2022 11:40:38.655924082 CEST49748443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.655994892 CEST4434974840.126.31.4192.168.2.3
                              May 14, 2022 11:40:38.656083107 CEST49748443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.656239986 CEST49749443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.656315088 CEST4434974940.126.31.4192.168.2.3
                              May 14, 2022 11:40:38.656392097 CEST49749443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.657080889 CEST49748443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.657104969 CEST4434974840.126.31.4192.168.2.3
                              May 14, 2022 11:40:38.657260895 CEST49749443192.168.2.340.126.31.4
                              May 14, 2022 11:40:38.657285929 CEST4434974940.126.31.4192.168.2.3
                              May 14, 2022 11:40:39.436511993 CEST49750443192.168.2.340.126.31.4
                              May 14, 2022 11:40:39.436563015 CEST4434975040.126.31.4192.168.2.3
                              May 14, 2022 11:40:39.436676025 CEST49750443192.168.2.340.126.31.4
                              May 14, 2022 11:40:39.436950922 CEST49750443192.168.2.340.126.31.4
                              May 14, 2022 11:40:39.436970949 CEST4434975040.126.31.4192.168.2.3
                              May 14, 2022 11:40:39.938683033 CEST49751443192.168.2.340.126.31.4
                              May 14, 2022 11:40:39.938752890 CEST4434975140.126.31.4192.168.2.3
                              May 14, 2022 11:40:39.938852072 CEST49751443192.168.2.340.126.31.4
                              May 14, 2022 11:40:39.939223051 CEST49751443192.168.2.340.126.31.4
                              May 14, 2022 11:40:39.939249992 CEST4434975140.126.31.4192.168.2.3
                              May 14, 2022 11:40:40.250390053 CEST49752443192.168.2.340.126.31.4
                              May 14, 2022 11:40:40.250452995 CEST4434975240.126.31.4192.168.2.3
                              May 14, 2022 11:40:40.250607014 CEST49752443192.168.2.340.126.31.4
                              May 14, 2022 11:40:40.250804901 CEST49752443192.168.2.340.126.31.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 14, 2022 11:41:42.227566004 CEST5862553192.168.2.38.8.8.8
                              May 14, 2022 11:41:42.456279039 CEST53586258.8.8.8192.168.2.3
                              May 14, 2022 11:41:42.517323971 CEST5077853192.168.2.38.8.8.8
                              May 14, 2022 11:41:42.762320995 CEST53507788.8.8.8192.168.2.3
                              May 14, 2022 11:41:49.320611954 CEST6064053192.168.2.38.8.8.8
                              May 14, 2022 11:41:49.557310104 CEST53606408.8.8.8192.168.2.3
                              May 14, 2022 11:41:49.982928991 CEST6386153192.168.2.38.8.8.8
                              May 14, 2022 11:41:50.223973036 CEST53638618.8.8.8192.168.2.3
                              May 14, 2022 11:42:17.052181005 CEST5352453192.168.2.38.8.8.8
                              May 14, 2022 11:42:17.299803019 CEST53535248.8.8.8192.168.2.3
                              May 14, 2022 11:42:17.302987099 CEST5856153192.168.2.38.8.8.8
                              May 14, 2022 11:42:17.530401945 CEST53585618.8.8.8192.168.2.3
                              May 14, 2022 11:42:22.961636066 CEST6254753192.168.2.38.8.8.8
                              May 14, 2022 11:42:22.980106115 CEST53625478.8.8.8192.168.2.3
                              May 14, 2022 11:42:22.983575106 CEST5409653192.168.2.38.8.8.8
                              May 14, 2022 11:42:23.002037048 CEST53540968.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              May 14, 2022 11:41:42.227566004 CEST192.168.2.38.8.8.80xd123Standard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:41:42.517323971 CEST192.168.2.38.8.8.80xfd5cStandard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:41:49.320611954 CEST192.168.2.38.8.8.80x171eStandard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:41:49.982928991 CEST192.168.2.38.8.8.80x662bStandard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:42:17.052181005 CEST192.168.2.38.8.8.80x13a8Standard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:42:17.302987099 CEST192.168.2.38.8.8.80xf696Standard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:42:22.961636066 CEST192.168.2.38.8.8.80x5910Standard query (0)mail.metalindus.clA (IP address)IN (0x0001)
                              May 14, 2022 11:42:22.983575106 CEST192.168.2.38.8.8.80x884bStandard query (0)mail.metalindus.clA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              May 14, 2022 11:41:02.547914028 CEST8.8.8.8192.168.2.30xef27No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:41:14.825031042 CEST8.8.8.8192.168.2.30x1b33No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:41:42.456279039 CEST8.8.8.8192.168.2.30xd123No error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:41:42.456279039 CEST8.8.8.8192.168.2.30xd123No error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:41:42.762320995 CEST8.8.8.8192.168.2.30xfd5cNo error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:41:42.762320995 CEST8.8.8.8192.168.2.30xfd5cNo error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:41:49.557310104 CEST8.8.8.8192.168.2.30x171eNo error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:41:49.557310104 CEST8.8.8.8192.168.2.30x171eNo error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:41:50.223973036 CEST8.8.8.8192.168.2.30x662bNo error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:41:50.223973036 CEST8.8.8.8192.168.2.30x662bNo error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:42:17.299803019 CEST8.8.8.8192.168.2.30x13a8No error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:42:17.299803019 CEST8.8.8.8192.168.2.30x13a8No error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:42:17.530401945 CEST8.8.8.8192.168.2.30xf696No error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:42:17.530401945 CEST8.8.8.8192.168.2.30xf696No error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:42:22.980106115 CEST8.8.8.8192.168.2.30x5910No error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:42:22.980106115 CEST8.8.8.8192.168.2.30x5910No error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)
                              May 14, 2022 11:42:23.002037048 CEST8.8.8.8192.168.2.30x884bNo error (0)mail.metalindus.clmetalindus.clCNAME (Canonical name)IN (0x0001)
                              May 14, 2022 11:42:23.002037048 CEST8.8.8.8192.168.2.30x884bNo error (0)metalindus.cl216.246.112.22A (IP address)IN (0x0001)

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              May 14, 2022 11:41:43.189877987 CEST58749781216.246.112.22192.168.2.3220-priva95.privatednsorg.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 05:41:42 -0400
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              May 14, 2022 11:41:43.217617989 CEST49781587192.168.2.3216.246.112.22EHLO 124406
                              May 14, 2022 11:41:43.333342075 CEST58749781216.246.112.22192.168.2.3250-priva95.privatednsorg.com Hello 124406 [102.129.143.55]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 14, 2022 11:41:43.408979893 CEST49781587192.168.2.3216.246.112.22STARTTLS
                              May 14, 2022 11:41:43.526446104 CEST58749781216.246.112.22192.168.2.3220 TLS go ahead
                              May 14, 2022 11:41:50.566000938 CEST58749792216.246.112.22192.168.2.3220-priva95.privatednsorg.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 05:41:49 -0400
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              May 14, 2022 11:41:50.566306114 CEST49792587192.168.2.3216.246.112.22EHLO 124406
                              May 14, 2022 11:41:50.683195114 CEST58749792216.246.112.22192.168.2.3250-priva95.privatednsorg.com Hello 124406 [102.129.143.55]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 14, 2022 11:41:50.683720112 CEST49792587192.168.2.3216.246.112.22STARTTLS
                              May 14, 2022 11:41:50.803344011 CEST58749792216.246.112.22192.168.2.3220 TLS go ahead
                              May 14, 2022 11:42:17.888864040 CEST58749839216.246.112.22192.168.2.3220-priva95.privatednsorg.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 05:42:17 -0400
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              May 14, 2022 11:42:17.889961958 CEST49839587192.168.2.3216.246.112.22EHLO 124406
                              May 14, 2022 11:42:18.006761074 CEST58749839216.246.112.22192.168.2.3250-priva95.privatednsorg.com Hello 124406 [102.129.143.55]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 14, 2022 11:42:18.007395029 CEST49839587192.168.2.3216.246.112.22STARTTLS
                              May 14, 2022 11:42:18.126185894 CEST58749839216.246.112.22192.168.2.3220 TLS go ahead
                              May 14, 2022 11:42:23.251547098 CEST58749841216.246.112.22192.168.2.3220-priva95.privatednsorg.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 05:42:22 -0400
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              May 14, 2022 11:42:23.251890898 CEST49841587192.168.2.3216.246.112.22EHLO 124406
                              May 14, 2022 11:42:23.368700027 CEST58749841216.246.112.22192.168.2.3250-priva95.privatednsorg.com Hello 124406 [102.129.143.55]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 14, 2022 11:42:23.368897915 CEST49841587192.168.2.3216.246.112.22STARTTLS
                              May 14, 2022 11:42:23.487533092 CEST58749841216.246.112.22192.168.2.3220 TLS go ahead
                              May 14, 2022 11:42:27.053615093 CEST58749856216.246.112.22192.168.2.3220-priva95.privatednsorg.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 05:42:26 -0400
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              May 14, 2022 11:42:27.054924011 CEST49856587192.168.2.3216.246.112.22EHLO 124406
                              May 14, 2022 11:42:27.212974072 CEST58749856216.246.112.22192.168.2.3250-priva95.privatednsorg.com Hello 124406 [102.129.143.55]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 14, 2022 11:42:27.213399887 CEST49856587192.168.2.3216.246.112.22STARTTLS
                              May 14, 2022 11:42:27.373087883 CEST58749856216.246.112.22192.168.2.3220 TLS go ahead

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:40:33
                              Start date:14/05/2022
                              Path:C:\Users\user\Desktop\Raeue.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Raeue.exe"
                              Imagebase:0x910000
                              File size:778752 bytes
                              MD5 hash:47D09683FC102A85A7DEA2516CA81FA3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.382727411.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.382727411.0000000003F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.380956103.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.380956103.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low

                              General

                              Target ID:1
                              Start time:11:40:34
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:2
                              Start time:11:40:35
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:3
                              Start time:11:40:35
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:4
                              Start time:11:40:36
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:5
                              Start time:11:40:37
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:6
                              Start time:11:40:37
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:7
                              Start time:11:40:38
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:9
                              Start time:11:40:39
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:10
                              Start time:11:40:39
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:12
                              Start time:11:40:40
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:13
                              Start time:11:40:40
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:14
                              Start time:11:40:41
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:16
                              Start time:11:40:42
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:17
                              Start time:11:40:42
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:18
                              Start time:11:40:43
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:19
                              Start time:11:40:44
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:20
                              Start time:11:40:44
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:21
                              Start time:11:40:45
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:22
                              Start time:11:40:46
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:23
                              Start time:11:40:46
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:24
                              Start time:11:40:47
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:25
                              Start time:11:40:49
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:26
                              Start time:11:40:49
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:27
                              Start time:11:40:51
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:29
                              Start time:11:40:52
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:30
                              Start time:11:40:52
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:31
                              Start time:11:40:53
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0x7ff73c930000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:32
                              Start time:11:40:54
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:34
                              Start time:11:40:54
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:36
                              Start time:11:40:55
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:38
                              Start time:11:40:56
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:40
                              Start time:11:40:56
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:41
                              Start time:11:40:57
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:44
                              Start time:11:40:58
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:45
                              Start time:11:40:58
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:46
                              Start time:11:40:59
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:47
                              Start time:11:41:00
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:49
                              Start time:11:41:00
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:50
                              Start time:11:41:01
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:51
                              Start time:11:41:02
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:52
                              Start time:11:41:02
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:54
                              Start time:11:41:03
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:55
                              Start time:11:41:04
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:56
                              Start time:11:41:04
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:57
                              Start time:11:41:05
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:58
                              Start time:11:41:06
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:59
                              Start time:11:41:07
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:60
                              Start time:11:41:08
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:62
                              Start time:11:41:10
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:63
                              Start time:11:41:10
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:64
                              Start time:11:41:11
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:65
                              Start time:11:41:12
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:66
                              Start time:11:41:12
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:67
                              Start time:11:41:13
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:68
                              Start time:11:41:14
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:69
                              Start time:11:41:14
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:70
                              Start time:11:41:15
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:71
                              Start time:11:41:16
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 1
                              Imagebase:0xc20000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:72
                              Start time:11:41:16
                              Start date:14/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c9170000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:73
                              Start time:11:41:17
                              Start date:14/05/2022
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout /t 1
                              Imagebase:0xbe0000
                              File size:26112 bytes
                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:76
                              Start time:11:41:29
                              Start date:14/05/2022
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              Imagebase:0xb30000
                              File size:261728 bytes
                              MD5 hash:D621FD77BD585874F9686D3A76462EF1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004C.00000000.368773514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004C.00000000.368773514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004C.00000000.368417395.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004C.00000000.368417395.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004C.00000000.367740613.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004C.00000000.367740613.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004C.00000000.368074941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004C.00000000.368074941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004C.00000002.464873991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004C.00000002.464873991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000004C.00000002.466512329.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                              General

                              Target ID:79
                              Start time:11:41:40
                              Start date:14/05/2022
                              Path:C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe"
                              Imagebase:0x5b0000
                              File size:778752 bytes
                              MD5 hash:47D09683FC102A85A7DEA2516CA81FA3
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004F.00000002.479898674.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004F.00000002.479898674.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004F.00000002.480513797.0000000003C32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004F.00000002.480513797.0000000003C32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000004F.00000002.481850600.0000000007A0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000004F.00000002.481850600.0000000007A0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Typical_Malware_String_Transforms, Description: Detects typical strings in a reversed or otherwise modified form, Source: C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe, Author: Florian Roth
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 34%, ReversingLabs

                              Disassembly

                              No disassembly