Edit tour

Windows Analysis Report
BANK DATAILS.exe

Overview

General Information

Sample Name:	BANK DATAILS.exe
Analysis ID:	679255
MD5:	9c8721d5f0dfcb5893766810fc016b1b
SHA1:	097e2d6bd75f55fee4ba991696d15bbd0f73137f
SHA256:	22083794e761ae3e2fb684244ddadba8353b0dc25549d9591dbbd118dde52054
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: MSBuild connects to smtp port

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

BANK DATAILS.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\BANK DATAILS.exe" MD5: 9C8721D5F0DFCB5893766810FC016B1B)

MSBuild.exe (PID: 916 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 5676 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

MSBuild.exe (PID: 2908 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "quality@keeprojects.in", "Password": "quality#@!", "Host": "webmail.keeprojects.in"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30097:$a13: get_DnsResolver 0x2e899:$a20: get_LastAccessed 0x30a15:$a27: set_InternalServerPort 0x30d31:$a30: set_GuidMasterKey 0x2e9a0:$a33: get_Clipboard 0x2e9ae:$a34: get_Keyboard 0x2fcb2:$a35: get_ShiftKeyDown 0x2fcc3:$a36: get_AltKeyDown 0x2e9bb:$a37: get_Password 0x2f462:$a38: get_PasswordHash 0x30497:$a39: get_DefaultCredentials
00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1a8c97:$a13: get_DnsResolver 0x1dd0b7:$a13: get_DnsResolver 0x1a7499:$a20: get_LastAccessed 0x1db8b9:$a20: get_LastAccessed 0x1a9615:$a27: set_InternalServerPort 0x1dda35:$a27: set_InternalServerPort 0x1a9931:$a30: set_GuidMasterKey 0x1ddd51:$a30: set_GuidMasterKey 0x1a75a0:$a33: get_Clipboard 0x1db9c0:$a33: get_Clipboard 0x1a75ae:$a34: get_Keyboard 0x1db9ce:$a34: get_Keyboard 0x1a88b2:$a35: get_ShiftKeyDown 0x1dccd2:$a35: get_ShiftKeyDown 0x1a88c3:$a36: get_AltKeyDown 0x1dcce3:$a36: get_AltKeyDown 0x1a75bb:$a37: get_Password 0x1db9db:$a37: get_Password 0x1a8062:$a38: get_PasswordHash 0x1dc482:$a38: get_PasswordHash 0x1a9097:$a39: get_DefaultCredentials
00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BANK DATAILS.exe PID: 5276	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0xa33d4:$s5: AEAAAAMAAQqVT 0xa3345:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: BANK DATAILS.exe PID: 5276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BANK DATAILS.exe PID: 5276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BANK DATAILS.exe PID: 5276	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x870eb:$a13: get_DnsResolver 0x85f6a:$a20: get_LastAccessed 0x8782b:$a27: set_InternalServerPort 0x879ff:$a30: set_GuidMasterKey 0x8604f:$a33: get_Clipboard 0x8605d:$a34: get_Keyboard 0x86e41:$a35: get_ShiftKeyDown 0x86e52:$a36: get_AltKeyDown 0x8606a:$a37: get_Password 0x867ee:$a38: get_PasswordHash 0x873e5:$a39: get_DefaultCredentials
Process Memory Space: MSBuild.exe PID: 2908	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 2908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 2908	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e47b:$a13: get_DnsResolver 0x2cedd:$a20: get_LastAccessed 0x2eda8:$a27: set_InternalServerPort 0x2f004:$a30: set_GuidMasterKey 0x2cfd0:$a33: get_Clipboard 0x2cfde:$a34: get_Keyboard 0x2e135:$a35: get_ShiftKeyDown 0x2e146:$a36: get_AltKeyDown 0x2cfeb:$a37: get_Password 0x2d9ee:$a38: get_PasswordHash 0x2e84f:$a39: get_DefaultCredentials
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BANK DATAILS.exe.3b41a00.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BANK DATAILS.exe.3b41a00.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.BANK DATAILS.exe.3b41a00.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d6c:$s10: logins 0x307d3:$s11: credential 0x2cda0:$g1: get_Clipboard 0x2cdae:$g2: get_Keyboard 0x2cdbb:$g3: get_Password 0x2e0a2:$g4: get_CtrlKeyDown 0x2e0b2:$g5: get_ShiftKeyDown 0x2e0c3:$g6: get_AltKeyDown
0.2.BANK DATAILS.exe.3b41a00.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e497:$a13: get_DnsResolver 0x2cc99:$a20: get_LastAccessed 0x2ee15:$a27: set_InternalServerPort 0x2f131:$a30: set_GuidMasterKey 0x2cda0:$a33: get_Clipboard 0x2cdae:$a34: get_Keyboard 0x2e0b2:$a35: get_ShiftKeyDown 0x2e0c3:$a36: get_AltKeyDown 0x2cdbb:$a37: get_Password 0x2d862:$a38: get_PasswordHash 0x2e897:$a39: get_DefaultCredentials
6.0.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.MSBuild.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b6c:$s10: logins 0x325d3:$s11: credential 0x2eba0:$g1: get_Clipboard 0x2ebae:$g2: get_Keyboard 0x2ebbb:$g3: get_Password 0x2fea2:$g4: get_CtrlKeyDown 0x2feb2:$g5: get_ShiftKeyDown 0x2fec3:$g6: get_AltKeyDown
6.0.MSBuild.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30297:$a13: get_DnsResolver 0x2ea99:$a20: get_LastAccessed 0x30c15:$a27: set_InternalServerPort 0x30f31:$a30: set_GuidMasterKey 0x2eba0:$a33: get_Clipboard 0x2ebae:$a34: get_Keyboard 0x2feb2:$a35: get_ShiftKeyDown 0x2fec3:$a36: get_AltKeyDown 0x2ebbb:$a37: get_Password 0x2f662:$a38: get_PasswordHash 0x30697:$a39: get_DefaultCredentials
0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b6c:$s10: logins 0x66f8c:$s10: logins 0x325d3:$s11: credential 0x669f3:$s11: credential 0x2eba0:$g1: get_Clipboard 0x62fc0:$g1: get_Clipboard 0x2ebae:$g2: get_Keyboard 0x62fce:$g2: get_Keyboard 0x2ebbb:$g3: get_Password 0x62fdb:$g3: get_Password 0x2fea2:$g4: get_CtrlKeyDown 0x642c2:$g4: get_CtrlKeyDown 0x2feb2:$g5: get_ShiftKeyDown 0x642d2:$g5: get_ShiftKeyDown 0x2fec3:$g6: get_AltKeyDown 0x642e3:$g6: get_AltKeyDown
0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30297:$a13: get_DnsResolver 0x646b7:$a13: get_DnsResolver 0x2ea99:$a20: get_LastAccessed 0x62eb9:$a20: get_LastAccessed 0x30c15:$a27: set_InternalServerPort 0x65035:$a27: set_InternalServerPort 0x30f31:$a30: set_GuidMasterKey 0x65351:$a30: set_GuidMasterKey 0x2eba0:$a33: get_Clipboard 0x62fc0:$a33: get_Clipboard 0x2ebae:$a34: get_Keyboard 0x62fce:$a34: get_Keyboard 0x2feb2:$a35: get_ShiftKeyDown 0x642d2:$a35: get_ShiftKeyDown 0x2fec3:$a36: get_AltKeyDown 0x642e3:$a36: get_AltKeyDown 0x2ebbb:$a37: get_Password 0x62fdb:$a37: get_Password 0x2f662:$a38: get_PasswordHash 0x63a82:$a38: get_PasswordHash 0x30697:$a39: get_DefaultCredentials
0.2.BANK DATAILS.exe.3a60980.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BANK DATAILS.exe.3a60980.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.BANK DATAILS.exe.3a60980.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x113bec:$s10: logins 0x14800c:$s10: logins 0x113653:$s11: credential 0x147a73:$s11: credential 0x10fc20:$g1: get_Clipboard 0x144040:$g1: get_Clipboard 0x10fc2e:$g2: get_Keyboard 0x14404e:$g2: get_Keyboard 0x10fc3b:$g3: get_Password 0x14405b:$g3: get_Password 0x110f22:$g4: get_CtrlKeyDown 0x145342:$g4: get_CtrlKeyDown 0x110f32:$g5: get_ShiftKeyDown 0x145352:$g5: get_ShiftKeyDown 0x110f43:$g6: get_AltKeyDown 0x145363:$g6: get_AltKeyDown
0.2.BANK DATAILS.exe.3a60980.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x111317:$a13: get_DnsResolver 0x145737:$a13: get_DnsResolver 0x10fb19:$a20: get_LastAccessed 0x143f39:$a20: get_LastAccessed 0x111c95:$a27: set_InternalServerPort 0x1460b5:$a27: set_InternalServerPort 0x111fb1:$a30: set_GuidMasterKey 0x1463d1:$a30: set_GuidMasterKey 0x10fc20:$a33: get_Clipboard 0x144040:$a33: get_Clipboard 0x10fc2e:$a34: get_Keyboard 0x14404e:$a34: get_Keyboard 0x110f32:$a35: get_ShiftKeyDown 0x145352:$a35: get_ShiftKeyDown 0x110f43:$a36: get_AltKeyDown 0x145363:$a36: get_AltKeyDown 0x10fc3b:$a37: get_Password 0x14405b:$a37: get_Password 0x1106e2:$a38: get_PasswordHash 0x144b02:$a38: get_PasswordHash 0x111717:$a39: get_DefaultCredentials
Click to see the 11 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.195.185.58, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2908, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49737

Snort Signatures

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.3 - Destination IP: 103.195.185.58

Timestamp:	192.168.2.3103.195.185.58497375872839723 08/05/22-13:24:47.100821
SID:	2839723
Source Port:	49737
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 103.195.185.58

Timestamp:	192.168.2.3103.195.185.58497375872851779 08/05/22-13:24:47.100944
SID:	2851779
Source Port:	49737
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.3 - Destination IP: 103.195.185.58

Timestamp:	192.168.2.3103.195.185.58497375872840032 08/05/22-13:24:47.100944
SID:	2840032
Source Port:	49737
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.3 - Destination IP: 103.195.185.58

Timestamp:	192.168.2.3103.195.185.58497375872030171 08/05/22-13:24:47.100821
SID:	2030171
Source Port:	49737
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BANK DATAILS.exe	Virustotal: Detection: 54%			Perma Link
Source: BANK DATAILS.exe	ReversingLabs: Detection: 35%

Multi AV Scanner detection for domain / URL

Source: webmail.keeprojects.in

Virustotal: Detection: 6%

Perma Link

Machine Learning detection for sample

Source: BANK DATAILS.exe

Joe Sandbox ML: detected

Source: 6.0.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 6.0.MSBuild.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "quality@keeprojects.in", "Password": "quality#@!", "Host": "webmail.keeprojects.in"}

Source: BANK DATAILS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BANK DATAILS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49737 -> 103.195.185.58:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49737 -> 103.195.185.58:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49737 -> 103.195.185.58:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49737 -> 103.195.185.58:587

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View

IP Address: 103.195.185.58 103.195.185.58

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 103.195.185.58:587

Source: global traffic

TCP traffic: 192.168.2.3:49737 -> 103.195.185.58:587

Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nhEGCU.com
Source: BANK DATAILS.exe	String found in binary or memory: http://tempuri.org/MyCollectionDataSet.xsd
Source: MSBuild.exe, 00000006.00000002.517794131.0000000003383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webmail.keeprojects.in
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/de
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253575573.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253540774.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253620821.000000000593D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFHs
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTFds
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomdms
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdv
Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comede
Source: BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldom
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtto
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245874250.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245858860.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245884516.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245841440.000000000591B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BANK DATAILS.exe, 00000000.00000003.249079298.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.c
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.
Source: BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/TDhB
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-n
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BANK DATAILS.exe, 00000000.00000003.245996369.0000000005923000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245926609.0000000005922000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245609029.0000000005923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krB
Source: BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krdq
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com&Q
Source: BANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comaQ
Source: BANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comc
Source: BANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comh
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deyq
Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://X837hbNl7u614NNf6o.net
Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: webmail.keeprojects.in

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b72ADB0BDu002dE6D8u002d456Cu002dB710u002dD9724B0D01CBu007d/ADCCF321u002d56D8u002d41E2u002dB0A6u002d436B52B63111.cs

Large array initialization: .cctor: array initializer size 11618

Source: BANK DATAILS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Code function: 0_2_00F44A10	0_2_00F44A10
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Code function: 0_2_00F4C4B4	0_2_00F4C4B4
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Code function: 0_2_00F44A06	0_2_00F44A06
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Code function: 0_2_00F4ED60	0_2_00F4ED60
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Code function: 0_2_00F4ED50	0_2_00F4ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0159F080	6_2_0159F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0159F3C8	6_2_0159F3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_01596120	6_2_01596120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061EB730	6_2_061EB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061EC480	6_2_061EC480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061E1FF8	6_2_061E1FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061E0040	6_2_061E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06824EB0	6_2_06824EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068266C8	6_2_068266C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0682C7B0	6_2_0682C7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0682EBB0	6_2_0682EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0682E020	6_2_0682E020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068232A8	6_2_068232A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06821D28	6_2_06821D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_069B4040	6_2_069B4040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_069B1CD8	6_2_069B1CD8

Source: BANK DATAILS.exe, 00000000.00000000.241417077.0000000000598000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerQooZu.exe: vs BANK DATAILS.exe
Source: BANK DATAILS.exe, 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BANK DATAILS.exe
Source: BANK DATAILS.exe, 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBoluxvACLLYUDPsbdXzoAMGZzttgGVPry.exe4 vs BANK DATAILS.exe
Source: BANK DATAILS.exe, 00000000.00000002.296493208.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BANK DATAILS.exe
Source: BANK DATAILS.exe, 00000000.00000002.290109071.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs BANK DATAILS.exe
Source: BANK DATAILS.exe, 00000000.00000002.290109071.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBoluxvACLLYUDPsbdXzoAMGZzttgGVPry.exe4 vs BANK DATAILS.exe
Source: BANK DATAILS.exe, 00000000.00000002.304934354.00000000072E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BANK DATAILS.exe
Source: BANK DATAILS.exe	Binary or memory string: OriginalFilenamerQooZu.exe: vs BANK DATAILS.exe

Source: BANK DATAILS.exe	Virustotal: Detection: 54%
Source: BANK DATAILS.exe	ReversingLabs: Detection: 35%

Source: BANK DATAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK DATAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BANK DATAILS.exe "C:\Users\user\Desktop\BANK DATAILS.exe"
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BANK DATAILS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK DATAILS.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@7/1@1/2

Source: BANK DATAILS.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 6.0.MSBuild.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.MSBuild.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\BANK DATAILS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BANK DATAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BANK DATAILS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Code function: 0_2_00F40015 push esp; retf	0_2_00F40016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061E9770 push es; ret	6_2_061EA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061E3139 push es; iretd	6_2_061E313C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_061EF1C8 push esp; ret	6_2_061EF1C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068232A8 push es; iretd	6_2_068240B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0682178F push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0682179B push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068217EB push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06821753 push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068218AF push es; ret	6_2_06821910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068218B3 push es; ret	6_2_06821910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068240B1 push es; iretd	6_2_06824148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06821CCA push 10061CCFh; retf	6_2_06821CD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06821817 push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_0682181B push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06821867 push es; ret	6_2_068218C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_068241D9 push es; iretd	6_2_068241E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06824149 push es; iretd	6_2_068241D8

Source: initial sample

Static PE information: section name: .text entropy: 6.9916083972247

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\BANK DATAILS.exe TID: 5416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5924	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5960	Thread sleep count: 9701 > 30	Jump to behavior

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window / User API: threadDelayed 9701

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BANK DATAILS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: MSBuild.exe, 00000006.00000002.522911178.00000000064DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000003.326970071.00000000064CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj[[$
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 6_2_069B5488 LdrInitializeThunk,

6_2_069B5488

Source: C:\Users\user\Desktop\BANK DATAILS.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Users\user\Desktop\BANK DATAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK DATAILS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BANK DATAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BANK DATAILS.exe	55%	Virustotal		Browse
BANK DATAILS.exe	35%	ReversingLabs	ByteCode-MSIL.Spyware.SnakeLogger
BANK DATAILS.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
webmail.keeprojects.in	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://webmail.keeprojects.in	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comcomdms	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
https://X837hbNl7u614NNf6o.net	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comldom	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.founder.com.cn/cn/TDhB	0%	Avira URL Cloud	safe
http://www.tiro.com&Q	0%	Avira URL Cloud	safe
http://tempuri.org/MyCollectionDataSet.xsd	0%	Avira URL Cloud	safe
http://nhEGCU.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.fontbureau.comtto	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sandoll.co.krB	0%	Avira URL Cloud	safe
http://www.fontbureau.comFHs	0%	Avira URL Cloud	safe
http://www.fontbureau.comI.TTFds	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnl-n	0%	URL Reputation	safe
http://www.fontbureau.comdv	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.sandoll.co.krdq	0%	Avira URL Cloud	safe
http://www.founder.com.c	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.comaQ	0%	Avira URL Cloud	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn.	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.urwpp.deyq	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comede	0%	Avira URL Cloud	safe
http://www.tiro.comh	0%	URL Reputation	safe
http://www.tiro.comc	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webmail.keeprojects.in	103.195.185.58	true	true	7%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://webmail.keeprojects.in	MSBuild.exe, 00000006.00000002.517794131.0000000003383000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comcomdms	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://X837hbNl7u614NNf6o.net	MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comldom	BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	BANK DATAILS.exe, 00000000.00000003.245996369.0000000005923000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245926609.0000000005922000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245609029.0000000005923000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrita	BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/TDhB	BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com&Q	BANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://tempuri.org/MyCollectionDataSet.xsd	BANK DATAILS.exe	false	Avira URL Cloud: safe	unknown
http://nhEGCU.com	MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcom	BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrito	BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comtto	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245874250.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245858860.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245884516.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245841440.000000000591B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krB	BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comFHs	BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comI.TTFds	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnl-n	BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/de	BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comdv	BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krdq	BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.c	BANK DATAILS.exe, 00000000.00000003.249079298.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comaQ	BANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmle	BANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253575573.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253540774.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253620821.000000000593D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comd	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn.	BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	BANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deyq	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comals	BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comede	BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comh	BANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comc	BANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.195.185.58	webmail.keeprojects.in	India		394695	PUBLIC-DOMAIN-REGISTRYUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679255
Start date and time: 05/08/202213:23:06	2022-08-05 13:23:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BANK DATAILS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@7/1@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:24:18	API Interceptor	1x Sleep call for process: BANK DATAILS.exe modified
13:24:30	API Interceptor	678x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
103.195.185.58	FOLLOW UP PAYMENT.exe	Get hash	malicious	Browse
	LIST OF PRODUCT AND SPECIFICATIONS.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.11575.exe	Get hash	malicious	Browse
	INVOICE.exe	Get hash	malicious	Browse
	ARRIVAL NOTICE.exe	Get hash	malicious	Browse
	CNC.exe	Get hash	malicious	Browse
	CNC.exe	Get hash	malicious	Browse
	features and accessories..exe	Get hash	malicious	Browse
	features and accessories.exe	Get hash	malicious	Browse
	DOCUMENTS.exe	Get hash	malicious	Browse
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse
	PAYMENT FOR AMOUNT.exe	Get hash	malicious	Browse
	DOCUMENTS ASEAN.exe	Get hash	malicious	Browse
	SCANDINAVIA V020E.exe	Get hash	malicious	Browse
	payment instruction.exe	Get hash	malicious	Browse
	PO#7A68D20.exe	Get hash	malicious	Browse
	PO#7A68D20.exe	Get hash	malicious	Browse
	JCTRANS.exe	Get hash	malicious	Browse
	PAYMENT SLIP.exe	Get hash	malicious	Browse
	No. TIM-0372022e-I003.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
webmail.keeprojects.in	FOLLOW UP PAYMENT.exe	Get hash	malicious	Browse	103.195.185.58
	LIST OF PRODUCT AND SPECIFICATIONS.exe	Get hash	malicious	Browse	103.195.185.58
	SecuriteInfo.com.W32.AIDetectNet.01.11575.exe	Get hash	malicious	Browse	103.195.185.58
	INVOICE.exe	Get hash	malicious	Browse	103.195.185.58
	ARRIVAL NOTICE.exe	Get hash	malicious	Browse	103.195.185.58
	CNC.exe	Get hash	malicious	Browse	103.195.185.58
	CNC.exe	Get hash	malicious	Browse	103.195.185.58
	features and accessories..exe	Get hash	malicious	Browse	103.195.185.58
	features and accessories.exe	Get hash	malicious	Browse	103.195.185.58
	DOCUMENTS.exe	Get hash	malicious	Browse	103.195.185.58
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	103.195.185.58
	PAYMENT FOR AMOUNT.exe	Get hash	malicious	Browse	103.195.185.58
	DOCUMENTS ASEAN.exe	Get hash	malicious	Browse	103.195.185.58
	SCANDINAVIA V020E.exe	Get hash	malicious	Browse	103.195.185.58
	payment instruction.exe	Get hash	malicious	Browse	103.195.185.58

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	WLmNdxIHr3.exe	Get hash	malicious	Browse	208.91.199.223
	DOC_6000019430_AUGUST2022.EXE	Get hash	malicious	Browse	208.91.198.143
	hpyvq3OqZv.exe	Get hash	malicious	Browse	208.91.199.225
	D99Wy236LD.exe	Get hash	malicious	Browse	111.118.212.38
	PURCHASE ORDER.exe	Get hash	malicious	Browse	208.91.199.223
	Swift Copy.exe	Get hash	malicious	Browse	103.21.58.15
	PO-151.exe	Get hash	malicious	Browse	208.91.199.223
	Invoice SIL-EDI-0-2022-392.exe	Get hash	malicious	Browse	119.18.49.30
	PAYMENT ADVICE.exe	Get hash	malicious	Browse	208.91.199.225
	IMG_03184.exe	Get hash	malicious	Browse	103.21.58.15
	PURCHASE ORDER.exe	Get hash	malicious	Browse	111.118.215.251
	ORDER-NO0003.exe	Get hash	malicious	Browse	208.91.199.224
	Doc_Requisition Quote_JULY2022.exe	Get hash	malicious	Browse	208.91.198.143
	PO from Proform Technologies Inc 15124.pdf.rar.exe	Get hash	malicious	Browse	111.118.215.251
	RFQ-Prebid Inquiries..exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.W32.AIDetectNet.01.25263.exe	Get hash	malicious	Browse	103.21.58.130
	Payment Copy_Bank Fab.doc	Get hash	malicious	Browse	103.21.58.130
	Bank FAB_ Payment Copy_Pdf.exe	Get hash	malicious	Browse	103.21.58.130
	n7SttFD3Nc.exe	Get hash	malicious	Browse	103.195.185.94
	RFQ 0937728266.vbs	Get hash	malicious	Browse	111.118.215.251

Process:	C:\Users\user\Desktop\BANK DATAILS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.984069886555404
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BANK DATAILS.exe
File size:	845312
MD5:	9c8721d5f0dfcb5893766810fc016b1b
SHA1:	097e2d6bd75f55fee4ba991696d15bbd0f73137f
SHA256:	22083794e761ae3e2fb684244ddadba8353b0dc25549d9591dbbd118dde52054
SHA512:	83e9bd28a1ff90448cd029742dcf3dfea760ed70112ab85e840c661c053d59531f521e3d09a49c545cc7dc26b7bfc76d106e0bb3692b88c64c4f03acbe6177fa
SSDEEP:	12288:OxjlkBIh6kLw/997uWi+bLtVo80FuYAMrovCSePuv:AsiAJJb3o8zsIh
TLSH:	1205AE0123D17519E23E4F7549E2D0709BB7ED279826E2EE2CC83D4FB77BA448952722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..b..............P.............>.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4cfd3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62ECC24C [Fri Aug 5 07:10:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcfce8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcdd44	0xcde00	False	0.6690407748937462	data	6.9916083972247	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x390	0x400	False	0.3828125	data	2.893537260945271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd0058	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3103.195.185.58497375872839723 08/05/22-13:24:47.100821	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49737	587	192.168.2.3	103.195.185.58
192.168.2.3103.195.185.58497375872851779 08/05/22-13:24:47.100944	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49737	587	192.168.2.3	103.195.185.58
192.168.2.3103.195.185.58497375872840032 08/05/22-13:24:47.100944	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49737	587	192.168.2.3	103.195.185.58
192.168.2.3103.195.185.58497375872030171 08/05/22-13:24:47.100821	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49737	587	192.168.2.3	103.195.185.58

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 13:24:44.522775888 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:44.658198118 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:44.658328056 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:45.731394053 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:45.731714964 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:45.869232893 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:45.870805979 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:46.004103899 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:46.019043922 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:46.192163944 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:46.662942886 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:46.663623095 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:46.796436071 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:46.796494007 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:46.796808004 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:46.966094017 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:46.966377974 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:47.099303961 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:47.099961996 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:47.100821018 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:47.100944042 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:47.101768017 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:47.101867914 CEST	49737	587	192.168.2.3	103.195.185.58
Aug 5, 2022 13:24:47.235477924 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:47.235764980 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:47.241832972 CEST	587	49737	103.195.185.58	192.168.2.3
Aug 5, 2022 13:24:47.358130932 CEST	49737	587	192.168.2.3	103.195.185.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 13:24:44.114614964 CEST	58204	53	192.168.2.3	8.8.8.8
Aug 5, 2022 13:24:44.500737906 CEST	53	58204	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 5, 2022 13:24:44.114614964 CEST	192.168.2.3	8.8.8.8	0xa87c	Standard query (0)	webmail.keeprojects.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 5, 2022 13:24:44.500737906 CEST	8.8.8.8	192.168.2.3	0xa87c	No error (0)	webmail.keeprojects.in		103.195.185.58	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 5, 2022 13:24:45.731394053 CEST	587	49737	103.195.185.58	192.168.2.3	220-md-in-88.webhostbox.net ESMTP Exim 4.95 #2 Fri, 05 Aug 2022 11:24:45 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 5, 2022 13:24:45.731714964 CEST	49737	587	192.168.2.3	103.195.185.58	EHLO 813435
Aug 5, 2022 13:24:45.869232893 CEST	587	49737	103.195.185.58	192.168.2.3	250-md-in-88.webhostbox.net Hello 813435 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 5, 2022 13:24:45.870805979 CEST	49737	587	192.168.2.3	103.195.185.58	AUTH login cXVhbGl0eUBrZWVwcm9qZWN0cy5pbg==
Aug 5, 2022 13:24:46.004103899 CEST	587	49737	103.195.185.58	192.168.2.3	334 UGFzc3dvcmQ6
Aug 5, 2022 13:24:46.662942886 CEST	587	49737	103.195.185.58	192.168.2.3	235 Authentication succeeded
Aug 5, 2022 13:24:46.663623095 CEST	49737	587	192.168.2.3	103.195.185.58	MAIL FROM:<quality@keeprojects.in>
Aug 5, 2022 13:24:46.796494007 CEST	587	49737	103.195.185.58	192.168.2.3	250 OK
Aug 5, 2022 13:24:46.796808004 CEST	49737	587	192.168.2.3	103.195.185.58	RCPT TO:<uuc7470@gmail.com>
Aug 5, 2022 13:24:46.966094017 CEST	587	49737	103.195.185.58	192.168.2.3	250 Accepted
Aug 5, 2022 13:24:46.966377974 CEST	49737	587	192.168.2.3	103.195.185.58	DATA
Aug 5, 2022 13:24:47.099961996 CEST	587	49737	103.195.185.58	192.168.2.3	354 Enter message, ending with "." on a line by itself
Aug 5, 2022 13:24:47.101867914 CEST	49737	587	192.168.2.3	103.195.185.58	.
Aug 5, 2022 13:24:47.241832972 CEST	587	49737	103.195.185.58	192.168.2.3	250 OK id=1oJvRf-004L0Y-0K

Target ID:	0
Start time:	13:24:06
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BANK DATAILS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BANK DATAILS.exe"
Imagebase:	0x550000
File size:	845312 bytes
MD5 hash:	9C8721D5F0DFCB5893766810FC016B1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	13:24:24
Start date:	05/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3a0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	13:24:25
Start date:	05/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x2c0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	13:24:26
Start date:	05/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xd20000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	93
Total number of Limit Nodes:	6

Executed Functions

Function 00F44A10 Relevance: 4.1, Strings: 3, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X.?+, xrefs: 00F44B0C
X.?+, xrefs: 00F44AFE
Mz`., xrefs: 00F44B4A

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID:
String ID: Mz`.$X.?+$X.?+
API String ID: 0-4146211559
Opcode ID: 914fee5dbc3b56af21bb6c1b44f0045904ee5fb5da063561efa241f139748efb
Instruction ID: 02b30d65e98ebee8be3be6726a7efb0f4b366163d47274d1ffd1be1c4dc48321
Opcode Fuzzy Hash: 914fee5dbc3b56af21bb6c1b44f0045904ee5fb5da063561efa241f139748efb
Instruction Fuzzy Hash: 13F14974E04209DFCB14CFA5D580B9DBBB2EF89310F2094AAD509BB360EB34A985DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F44A06 Relevance: 2.9, Strings: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X.?+, xrefs: 00F44B0C
Mz`., xrefs: 00F44B4A

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID:
String ID: Mz`.$X.?+
API String ID: 0-3189588762
Opcode ID: fef6b4b63c3141f755457a47dc169d494eb0d8eb647be9fb05b6296bd4c60a8d
Instruction ID: a5b3dd3c1a0ca692880b32f845d8501c4901923cdd573af244d60fe6ea0d3339
Opcode Fuzzy Hash: fef6b4b63c3141f755457a47dc169d494eb0d8eb647be9fb05b6296bd4c60a8d
Instruction Fuzzy Hash: 9BF14874E00209DFCB14CFA5D480B9DBBB1EF89310F2494AAD509BB364EB34A985DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F49CC8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F49F0E

Strings

pO, xrefs: 00F49E46
pO, xrefs: 00F49E6B

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID: HandleModule
String ID: pO$pO
API String ID: 4139908857-2202279484
Opcode ID: e408a981f953743246f33ba18827f98de669cec7650631ed49e42c231293b82d
Instruction ID: 57aa74dbdfeb2577ca77159e9d78bcaa17a089ef6a85f0e14738527e0b964543
Opcode Fuzzy Hash: e408a981f953743246f33ba18827f98de669cec7650631ed49e42c231293b82d
Instruction Fuzzy Hash: C0712470A00B058FD724DF2AD48579BBBF1FF88314F008929D89AD7A44E775E94ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AA2C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F4C5A6,?,?,?,?,?), ref: 00F4C667

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0ec7a83f2fc7c806bb8568f91e6f5aafaabf981fdd55a60b1c6afa9862637d62
Instruction ID: 79b7db7096dd99fbee1a7488e33bd9d5c2485d3601c195db589907af51f28667
Opcode Fuzzy Hash: 0ec7a83f2fc7c806bb8568f91e6f5aafaabf981fdd55a60b1c6afa9862637d62
Instruction Fuzzy Hash: ED21E4B5D01208AFDB11CFAAD985BDEBFF4EB48324F14841AE918A3710D374A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F4C5D9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F4C5A6,?,?,?,?,?), ref: 00F4C667

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21eedc58f925989ce89137a51e1a30839c09f232c08b5f6085f7ba39b8d9027a
Instruction ID: a3a49d1e349061b404b54f0cc9a56540a5537cbdd801bae8379d902ea2803418
Opcode Fuzzy Hash: 21eedc58f925989ce89137a51e1a30839c09f232c08b5f6085f7ba39b8d9027a
Instruction Fuzzy Hash: 2E21E4B5D012189FDB10CFAAD984ADEBFF4EB48324F14841AE918A3310D374A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A128 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F49F89,00000800,00000000,00000000), ref: 00F4A19A

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a177b72899f8d321619c5bdb106e5972e1ca9249bd026ed6ab0548d3df97ba6e
Instruction ID: be5b3e696656a4a9897da6437640c5c38b16fc6f6d07931d7e8e21fa7c95dedb
Opcode Fuzzy Hash: a177b72899f8d321619c5bdb106e5972e1ca9249bd026ed6ab0548d3df97ba6e
Instruction Fuzzy Hash: 112106B6C002499FDB21CFAAC484BDEFFF4EB88324F04842AD915A7600D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F49048 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F49F89,00000800,00000000,00000000), ref: 00F4A19A

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ff803b49dd0ccfdbe95635557e1e0ff909148010548bafe68ffb2dccfb78e18
Instruction ID: b52c1889cd6ec803721a62a31616ae83c1e6fc4d8579333d5013e0c2464f780b
Opcode Fuzzy Hash: 5ff803b49dd0ccfdbe95635557e1e0ff909148010548bafe68ffb2dccfb78e18
Instruction Fuzzy Hash: 3B11E2B6D002099FDB10CF9AD844BDEFBF4EB88324F14842AE919A7700D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F49EA8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F49F0E

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3649754af1af5a19855ba4afeb9f1447b6ec9021e53750f3a96b3438897cb35f
Instruction ID: b874e6747b19523014f3baf2551c94188f2f799dedab54ea4559739553859d64
Opcode Fuzzy Hash: 3649754af1af5a19855ba4afeb9f1447b6ec9021e53750f3a96b3438897cb35f
Instruction Fuzzy Hash: 9C11E3B6D006598FCB10CF9AD444BDFFBF4EB48324F14851AD819A7600D3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289037599.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_edd000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9944b26c50c9126d1d3e319719c116f70328fe7b589a087cb0c0304a588b638
Instruction ID: a115864042ce1264d4f4ddb84c70fbaa103316e141e3146589ef90cbd969a5c3
Opcode Fuzzy Hash: c9944b26c50c9126d1d3e319719c116f70328fe7b589a087cb0c0304a588b638
Instruction Fuzzy Hash: EF210371508240EFCB05DF14DDC0B66BB65FB98328F24C56AE8091B746C336E856D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289094509.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a299cae6705bf4ba0757b93e6c56f2326e41a6dd227d63508670b2d27c2a672c
Instruction ID: 2be5d2fa2f9394b3741edd263f555de4d00bae62d7c1653c4aaefa1939dea2f9
Opcode Fuzzy Hash: a299cae6705bf4ba0757b93e6c56f2326e41a6dd227d63508670b2d27c2a672c
Instruction Fuzzy Hash: 2A213471608288DFCB14CF14DDC0B56BB66FB88318F28C96DD80A5B746C336D84BCAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289094509.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8152930082c89606b46e72c4317e448f00c5026ebb3a6ce6bf6e153dd9417b35
Instruction ID: bb0b9e94779d9a812063799a8ab69f27c13bce7e016a51487237ae1fddfc0ad4
Opcode Fuzzy Hash: 8152930082c89606b46e72c4317e448f00c5026ebb3a6ce6bf6e153dd9417b35
Instruction Fuzzy Hash: 52214675508288EFCB01CF11DDC0B66BBA5FB88318F24C96DE9095B762C336D84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289094509.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d99e063339a888ab5b3f2aeaf5c22e38670094d80c25423a16d8eb6b14a5766
Instruction ID: a2299e43f4f31b9f72e0e2026ed08fe164e12a88f58124bf49756d592ed89709
Opcode Fuzzy Hash: 6d99e063339a888ab5b3f2aeaf5c22e38670094d80c25423a16d8eb6b14a5766
Instruction Fuzzy Hash: DB21927550D3C48FCB02CF20D994B15BF72EB46314F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289037599.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_edd000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: ccc9cac5e923986de0e053ac5218be2cb4ef5c5d3ae76770fd46fa38267816ce
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 3C11D376408280DFCB12CF10D9C4B16BF71FB94328F24C6AAD8455B756C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289094509.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7295738dd5415a26bb4c57afd7e216ba35a237fb4860c4a8b3290a6f7a399039
Instruction ID: b9b57b5a17575555c940f85a9cf4a0461c4e7350e743cf4d89839ed60df19a1e
Opcode Fuzzy Hash: 7295738dd5415a26bb4c57afd7e216ba35a237fb4860c4a8b3290a6f7a399039
Instruction Fuzzy Hash: 0311DD75508284DFCB02CF10C9C4B15FBB1FB88328F28C6ADD9494B666C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD651 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289037599.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_edd000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f9e33b05c720b05344c04ac0b42be135b9487668d72f658a416de7f229037f
Instruction ID: 427236268366b7c6507c3b228a3ad4f8685286e5e70348041ba9d7febdd31521
Opcode Fuzzy Hash: a9f9e33b05c720b05344c04ac0b42be135b9487668d72f658a416de7f229037f
Instruction Fuzzy Hash: CE01F77100C3849AE7109A15CD847A6BF98EF41378F18942BED5D6A742D379D845CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD650 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289037599.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_edd000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4e43be965d7143c3bdafe63df1a188e78ce36797cf56929207d4b849e12f97
Instruction ID: 952c4d9dda4c27623c1cd053a87a320bb534296c5010d5f36a60f2da3ed41dbb
Opcode Fuzzy Hash: 4f4e43be965d7143c3bdafe63df1a188e78ce36797cf56929207d4b849e12f97
Instruction Fuzzy Hash: DCF062714083849FEB208A15DD84B62FF98EB41778F18C46AED195B782C3799D44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F4ED60 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d9cda10c0e20cbbd85d54c4c316f06711752a660d006a4a189eb613731f7e1
Instruction ID: 5b70bd31247ada0ec75fdc8aca357ac70c7b56e3bdd0440b4995efcd0eccdba6
Opcode Fuzzy Hash: 62d9cda10c0e20cbbd85d54c4c316f06711752a660d006a4a189eb613731f7e1
Instruction Fuzzy Hash: E712D4F5C997468BE310CF65ECC81A93BA0B740328FDB4A08D2616BAD0D7B9056ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 00F4C4B4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a718bbb7c64fd1ea6226f5378805df4d3d70d4acc044a230b60d70503efd5b69
Instruction ID: 161a2059752d628863709ee1ffd6b5c4891a2d146e9c306dc4798721560667b2
Opcode Fuzzy Hash: a718bbb7c64fd1ea6226f5378805df4d3d70d4acc044a230b60d70503efd5b69
Instruction Fuzzy Hash: 49A1BF32E00219CFCF15DFA5C8849DEBBB2FF84304B19856AE815BB221EB75E915DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F4ED50 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289317699.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_BANK DATAILS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced5f5acf962b51c2462afb44d7cddfd4f2067fb7bbd49d0e2856d6886f50212
Instruction ID: 09555eb29b1761f519609b90334679494f31875d466999186b7e65654738d2df
Opcode Fuzzy Hash: ced5f5acf962b51c2462afb44d7cddfd4f2067fb7bbd49d0e2856d6886f50212
Instruction Fuzzy Hash: E5C118F1C997468BD710CF65ECC81A93BA1BB45328FDB4A08D1616BAD0D7B8146ECF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 2908, Parent PID: 5276COMMON

Execution Graph

Execution Coverage:	22.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.4%
Total number of Nodes:	820
Total number of Limit Nodes:	44

Executed Functions

Function 069B5488 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 069B54C9

Memory Dump Source

Source File: 00000006.00000002.523442817.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_69b0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 599aab731782737449b0e7cebf222cc22d90a0ac69ab174f240b2014335d4fa7
Instruction ID: 1863789a1c862269182003372283ea16a386205533e1b6fc5959633ad734cf64
Opcode Fuzzy Hash: 599aab731782737449b0e7cebf222cc22d90a0ac69ab174f240b2014335d4fa7
Instruction Fuzzy Hash: B2615E70E10209DBDB54EFB4DA94AEEB7F6AF84305F118428E402AB794DF789C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 061E70A7 Relevance: 3.3, APIs: 2, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5f21419977a5e07771e578a85e0af4a39dd2fb042e68cf9757202b016c2898bc
Instruction ID: d44ab6f2be022a9fba27f1744bfc6b64773e77f149f94c0b4e0dea135054ad14
Opcode Fuzzy Hash: 5f21419977a5e07771e578a85e0af4a39dd2fb042e68cf9757202b016c2898bc
Instruction Fuzzy Hash: 01028434902298CFDBA9EF70D88869DB7B2FF49307F1045E9D50AA6250CB399AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7090 Relevance: 3.3, APIs: 2, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3cf080a96b5f56cea495bc3b9ec6c9ae7843060813f86a6884bc22655cc8609d
Instruction ID: c34f2695ad1e5977639fa6ab875062c218004f273bb25c1a493e3b692a01791a
Opcode Fuzzy Hash: 3cf080a96b5f56cea495bc3b9ec6c9ae7843060813f86a6884bc22655cc8609d
Instruction Fuzzy Hash: F9028434902298CFDBA9EF70D88869DB7B2FF49307F1045E9D50A96290DB399AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E70E4 Relevance: 3.3, APIs: 2, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 740623e87ebeb54901d839acba74a60bde2e6f743a56740dcce9a4bc2e2b7b81
Instruction ID: c020b0fd6d39ddfe6b99f9b91508b15ee5436ebc3a746a887338bb4ac907e8bb
Opcode Fuzzy Hash: 740623e87ebeb54901d839acba74a60bde2e6f743a56740dcce9a4bc2e2b7b81
Instruction Fuzzy Hash: 89028474902298CFDBA9EF70D88869DB7B2FF49307F1045E9D50AA6250CB399AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7121 Relevance: 3.3, APIs: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ab08d91878576715dc844de2c062f950810535140e423a3d609d93edc8edbcf1
Instruction ID: 0a7a15a8108752584cb73b0e9ab18d435c2df61e3f3afcc6baf6a46d2f659282
Opcode Fuzzy Hash: ab08d91878576715dc844de2c062f950810535140e423a3d609d93edc8edbcf1
Instruction Fuzzy Hash: 00028474902298CFDBA9EF70D88869DB7B2FF49306F1045E9D50AA6250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E715E Relevance: 3.3, APIs: 2, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1648b4ea3b985dddaa916d7ff46bb3088f0f2fe4ebc550add3dc3f8ad7abb495
Instruction ID: f19960a2f423c1c561a5c8a7e3e2415a766b8ea005638569eea6b0ab51f5fcc9
Opcode Fuzzy Hash: 1648b4ea3b985dddaa916d7ff46bb3088f0f2fe4ebc550add3dc3f8ad7abb495
Instruction Fuzzy Hash: 8A0284749022A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A66250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E71A5 Relevance: 3.3, APIs: 2, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2cad95bc90cd91a2c253f3395a2b50cfb6b877feda26987d4d0b2ad33df02653
Instruction ID: 50b172244b125e90a66a887e663695bbb6b7bb682312ffd259cff65a3eea57d4
Opcode Fuzzy Hash: 2cad95bc90cd91a2c253f3395a2b50cfb6b877feda26987d4d0b2ad33df02653
Instruction Fuzzy Hash: F4F184749022A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A66250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E71EC Relevance: 3.3, APIs: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 49a972977f64fb68d7db1e55506c3d853039b64933f5de6fb54f62924eca1c8e
Instruction ID: 4a28587f8c50a1c2171da52adb641c9557775dfdb584e135f07491c0cd5ac5d5
Opcode Fuzzy Hash: 49a972977f64fb68d7db1e55506c3d853039b64933f5de6fb54f62924eca1c8e
Instruction Fuzzy Hash: FBF184749022A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A66250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7233 Relevance: 3.3, APIs: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 40166e2d3ef8c1378b278ba921ecf8fb5446282c4cc889b0cb45a004237e09fe
Instruction ID: 86217d6f55f3ab4509dbaf356580714aef050d4f2cff71d3fcd733c07546c5af
Opcode Fuzzy Hash: 40166e2d3ef8c1378b278ba921ecf8fb5446282c4cc889b0cb45a004237e09fe
Instruction Fuzzy Hash: B1F184749022A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A66250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E727A Relevance: 3.3, APIs: 2, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 61053e5359835a62a1931e0e366c1d06cebf81c8201ccfd9476e4fa040f9f8c8
Instruction ID: 4498436fec9e7a26e6c9ca27c6bdfbde8f08df46e2ddf4b0dd09821ea97268cd
Opcode Fuzzy Hash: 61053e5359835a62a1931e0e366c1d06cebf81c8201ccfd9476e4fa040f9f8c8
Instruction Fuzzy Hash: 57F184749022A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A62250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E72C1 Relevance: 3.3, APIs: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 734f215b571e6bac1579dfe94d523ebe5118927d9a270f5007df414808298a47
Instruction ID: beb559de9d77bad993574d42540ee131e0266a4c831b700f8a9a000f3ffb8f16
Opcode Fuzzy Hash: 734f215b571e6bac1579dfe94d523ebe5118927d9a270f5007df414808298a47
Instruction Fuzzy Hash: 2FE184749022A8CFDBA9EF34D88869DB7B2FF49306F1045E9D50A66250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7308 Relevance: 3.3, APIs: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4a0dc43449e13609401e2477bb2c1debe1ba1eecb16b172c9ac35aed9df2327c
Instruction ID: a4b93286f8266ac4f51d76a852ea1bbdf5331550957724d63233a995193f0b72
Opcode Fuzzy Hash: 4a0dc43449e13609401e2477bb2c1debe1ba1eecb16b172c9ac35aed9df2327c
Instruction Fuzzy Hash: 9EE184349022A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A66250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E734F Relevance: 3.3, APIs: 2, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c0ee21f2b8b90d89e72e139c5fb5a98394d56bdf34ccf55e97ea9563ea341123
Instruction ID: 2106068fcd9d610a393f4fd95441c8613a884b993f1ce603c2ba2f2542b006b9
Opcode Fuzzy Hash: c0ee21f2b8b90d89e72e139c5fb5a98394d56bdf34ccf55e97ea9563ea341123
Instruction Fuzzy Hash: C1E183349022A8CFDBA9EF34D88869DB7B2FF49306F1045E9D50A66250DB399AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E738D Relevance: 3.3, APIs: 2, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 08e8cd837a638203cb9a2bb964ffd4729646c989b4e04d18bacbb412352dccfd
Instruction ID: c5c8123d5706f68423cdd341b01e12830a762532a227e7db6c107498b99ba3f6
Opcode Fuzzy Hash: 08e8cd837a638203cb9a2bb964ffd4729646c989b4e04d18bacbb412352dccfd
Instruction Fuzzy Hash: 6AE18434902298CFDBA9EF34D88869DB7B2FF49306F1045E9D50A66250DB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E73D4 Relevance: 3.3, APIs: 2, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b3783fd0e566a9de6e09aa4d788f027a5c9d70fc78027577d4a5af016dab934b
Instruction ID: 5806e270ff8b5f6dc98d5135373dd31621304e8207489a4ea607ab64ae57c16c
Opcode Fuzzy Hash: b3783fd0e566a9de6e09aa4d788f027a5c9d70fc78027577d4a5af016dab934b
Instruction Fuzzy Hash: C4D18434902298CFDBA9EF34D88869DB7B2FF49306F1045E9D50A66250DB399AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E741B Relevance: 3.3, APIs: 2, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8e63ec7831c6b92a3afd585dccaf5a4f6976abcf3c72d71397a9a1353ba8b8f
Instruction ID: 4c38b8473ba52d4f7f16bff6b079fc26d78a4f98c1f533dfc82b863988a7b417
Opcode Fuzzy Hash: e8e63ec7831c6b92a3afd585dccaf5a4f6976abcf3c72d71397a9a1353ba8b8f
Instruction Fuzzy Hash: 5AD18434902298CFDBA9EF34D88869DB7B2FF49306F1045E9D50AA6250DB399AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7462 Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b04524552cafa7c2c36652092ef48d839c388306e167654f93aa5eba7b457d2f
Instruction ID: 4557a1f069e291c2af6e96717f416a93420b6471f3483daa2f0315f6f72a70a6
Opcode Fuzzy Hash: b04524552cafa7c2c36652092ef48d839c388306e167654f93aa5eba7b457d2f
Instruction Fuzzy Hash: 57D18434902298CFDBA9EF34D88869DB7B2FF49306F1045E9D50A66250DB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E74A9 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 18d266f0ebbb21c9971b6aaff559ae7a46062afa504b817b3a198199c64a571d
Instruction ID: a1d2454ad6919a8fb9be3b60e5c0ddf75bfa07cafcb07be15d8bf1cee69b477a
Opcode Fuzzy Hash: 18d266f0ebbb21c9971b6aaff559ae7a46062afa504b817b3a198199c64a571d
Instruction Fuzzy Hash: DDC18434902298CFDBA9EF34D88869DB7B2FF49306F1045E9D50AA6250DB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E74F0 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4a33e6d3904854a231890766b91ed910f687a371eaaaf0585d1b7efd28a30737
Instruction ID: 70eed93027eb131741da48169af3810f5d9e48db1af1e6134bbf4c0ea1e64d7c
Opcode Fuzzy Hash: 4a33e6d3904854a231890766b91ed910f687a371eaaaf0585d1b7efd28a30737
Instruction Fuzzy Hash: 7BC19434906298CFDBA9EF34D88869DB7B2FF49306F1045E9D50AA6250CB399EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7537 Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c333839e5d7ad956fe7ae7946f25fec4d0e37060a286aca79c92d74e11ab1002
Instruction ID: b47e646dfd8e43be809fa7a658590529bf776d21b0f1e2df39c7d73738bb6127
Opcode Fuzzy Hash: c333839e5d7ad956fe7ae7946f25fec4d0e37060a286aca79c92d74e11ab1002
Instruction Fuzzy Hash: BBC1A434906298CFDBA9EF30D88869DB7B2FF49306F1045E9D50A62250CB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E757E Relevance: 3.2, APIs: 2, Instructions: 221COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 334c8e4bb7cbd63076eac660d96c1964e53a04ad701af56c5a43aaacde7b20be
Instruction ID: a670981614cd73e872667a525db1d390fb4443e746cda2da1523eae9a5cd6fef
Opcode Fuzzy Hash: 334c8e4bb7cbd63076eac660d96c1964e53a04ad701af56c5a43aaacde7b20be
Instruction Fuzzy Hash: 9DB193349062A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E75C5 Relevance: 3.2, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3ad5b4d8604b74dbf2aab9b3633a805b71de9d80f97c6e458dda94328258f975
Instruction ID: 57b461da20c966ad754dd72e4071cb092f10015d17e82329a3c2c4e525ee4669
Opcode Fuzzy Hash: 3ad5b4d8604b74dbf2aab9b3633a805b71de9d80f97c6e458dda94328258f975
Instruction Fuzzy Hash: C8B1A3349062A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E760C Relevance: 3.2, APIs: 2, Instructions: 207COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 256c144e94ee24463e2215e32c4c5127181d46a23f32da8734989bcf1ea1c11a
Instruction ID: b3f13475159047e17b269cc35fa9b552d42ad4f49f094bfbde73ab552343fd1d
Opcode Fuzzy Hash: 256c144e94ee24463e2215e32c4c5127181d46a23f32da8734989bcf1ea1c11a
Instruction Fuzzy Hash: 06B194349062A8CFDBA9EF34D88869DB7B2FF49306F1045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7653 Relevance: 3.2, APIs: 2, Instructions: 198COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8203a440ba574ea7c8536f2b10c34b467077ef6805909f1a66ff4ab173049df
Instruction ID: 5f732da4aba36ccbf58b6d8a56e54948beadd120914d78501698131bc2198385
Opcode Fuzzy Hash: e8203a440ba574ea7c8536f2b10c34b467077ef6805909f1a66ff4ab173049df
Instruction Fuzzy Hash: 71A194349062A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50A62250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7691 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 93680ad08f87339bc6725cc23130eb5fe895d584e39847e82c8c01d19fd707e6
Instruction ID: ca88a637df380f50459c1311d0e77ccab8667e7079c23c244c02e96396b8a1e5
Opcode Fuzzy Hash: 93680ad08f87339bc6725cc23130eb5fe895d584e39847e82c8c01d19fd707e6
Instruction Fuzzy Hash: CDA194349062A8CFDBA9EF34D88869DB7B2FF49306F1045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E76D8 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8844c3996bc28a9c0be4a21e93ba5eabf09fe71d670b1e9cbc71f86275ecf5f4
Instruction ID: c29e69535eb328195301a40fbd22c70343d29901ee23f4e5d2147bca535fc61e
Opcode Fuzzy Hash: 8844c3996bc28a9c0be4a21e93ba5eabf09fe71d670b1e9cbc71f86275ecf5f4
Instruction Fuzzy Hash: B1A184349062A8CFDBA9EF34D88869DB7B2FF49306F1045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E771F Relevance: 3.2, APIs: 2, Instructions: 179COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e99fcd7f47f61bdeb79c924fd1deabf2bc28a339d31eaa085308b1f703c81329
Instruction ID: 90e7b2f5181999cc57138394fe38afc2ccbbc74e7bdde06141a40eef59f37f61
Opcode Fuzzy Hash: e99fcd7f47f61bdeb79c924fd1deabf2bc28a339d31eaa085308b1f703c81329
Instruction Fuzzy Hash: 7C9184349062A8CFDB69EF30D88869DB7B2FF89307F1045E9D50AA6250DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7769 Relevance: 3.2, APIs: 2, Instructions: 172COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 574771da459419aefec0116c3ee9374aeaa09b717bc36c23df736b0929b8de34
Instruction ID: 093c9c60350a41c80c69c32cb42ce2d8f25bfcd6860ec7d26d7debeee90fdb96
Opcode Fuzzy Hash: 574771da459419aefec0116c3ee9374aeaa09b717bc36c23df736b0929b8de34
Instruction Fuzzy Hash: F79194349062A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA6250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E77B3 Relevance: 3.2, APIs: 2, Instructions: 165COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E77DC
KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6143073e6ea1b84e9c906dab4f49ca80f28f8235527d827b5015389ea407743f
Instruction ID: 9e6287f5329e8ec5c09a315002eaf7664d20b1594874ceb2690c0e3841053989
Opcode Fuzzy Hash: 6143073e6ea1b84e9c906dab4f49ca80f28f8235527d827b5015389ea407743f
Instruction Fuzzy Hash: 4D8184349062A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA6250DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7813 Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 87c57fa9ab2309e3a823b99888f58e81959691629f6f9c87818e32b846cc9d51
Instruction ID: 65adc758a4dd26bddfaa1c59706c138c4869de6416f1566efaafa43afed1348e
Opcode Fuzzy Hash: 87c57fa9ab2309e3a823b99888f58e81959691629f6f9c87818e32b846cc9d51
Instruction Fuzzy Hash: 69819534906268CFDB69EF30D88869DB7B2FF49306F1045E9D50AA6350DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E785D Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e119ae12bd33ca1e7a7a9efcac389af025ae75a178843df99930ec39c5a68844
Instruction ID: 1a9f78ff65d7fb4c334419d1287790667c5d0e9264fbe732436d2fccee492080
Opcode Fuzzy Hash: e119ae12bd33ca1e7a7a9efcac389af025ae75a178843df99930ec39c5a68844
Instruction Fuzzy Hash: 07719574906268CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E78A7 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f06992ac2839a5020cf2c282cc244e5f391fd722cc36cde06dd343efcfbd5bd4
Instruction ID: 7b1352cc1c0b1f90b3b9b62f9abeb217379d8367ff999e6c681a36e1e58290fe
Opcode Fuzzy Hash: f06992ac2839a5020cf2c282cc244e5f391fd722cc36cde06dd343efcfbd5bd4
Instruction Fuzzy Hash: 3C6195349062A8CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA6250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E78E5 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 202c2c5d8847776f9758556e94c32d2efe922955fad248ae8d7dc10f70f7f5f9
Instruction ID: 7fe8db4aecb259c12e96d9b3893b1e41cfd62d092670d452dbc7d5dfa099499c
Opcode Fuzzy Hash: 202c2c5d8847776f9758556e94c32d2efe922955fad248ae8d7dc10f70f7f5f9
Instruction Fuzzy Hash: 14619334906268CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA6290DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 069B8080 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.523442817.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_69b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325109593a8bc8401168c5b4021763db18ed867a847e14ad4c8a2ca059268bb0
Instruction ID: 2da4c550ab9d791df91164fa1dad6c396d072136ba043d1836a8af3a3fd650f9
Opcode Fuzzy Hash: 325109593a8bc8401168c5b4021763db18ed867a847e14ad4c8a2ca059268bb0
Instruction Fuzzy Hash: 8A414772E043558FCB10DFB9C9042DEBBF5EF89210F18856AD419A7B90DB749885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 061E792F Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9a4bfb167347037a470d7960811df4e07adcba8660aec9d8a920629c161b6b57
Instruction ID: 0ef3b82dcb4c0d0937c51e43c676062eee61793c05a667ba2ba864e8c7fc6eb9
Opcode Fuzzy Hash: 9a4bfb167347037a470d7960811df4e07adcba8660aec9d8a920629c161b6b57
Instruction Fuzzy Hash: EF519334902268CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA6290DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7979 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1c0d65bebce00ee14e043bddc6b860cfed5d79b462e990a7d7ea56651b9670e
Instruction ID: 3e133a720b365e8c65e1a8ba05b08c1fca0f6e838c924b3ea9b984ac45b4c18a
Opcode Fuzzy Hash: c1c0d65bebce00ee14e043bddc6b860cfed5d79b462e990a7d7ea56651b9670e
Instruction Fuzzy Hash: 2D51A534902268CFDBA9EF30D88869DB7B2FF49306F5045E9D50AA2250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E79C3 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 058fce41f9f5368f3950b2d233a7652798aefbc1ca0218f363f54e226e0b8d4d
Instruction ID: cf6be6f1185ff33e952ba592232a15500f0b2937e8a17b2369b7dfe67072fb87
Opcode Fuzzy Hash: 058fce41f9f5368f3950b2d233a7652798aefbc1ca0218f363f54e226e0b8d4d
Instruction Fuzzy Hash: 7551B534A02268CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA6250DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06825DD8 Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06825EE1

Memory Dump Source

Source File: 00000006.00000002.523188959.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_MSBuild.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f9c12bba2f1786b10f4a33b21ee5144f59fe2db76897d635298e367e9cb7c6f3
Instruction ID: 06bbf391eb5da78286832e72698193025acd530444b7e7dea6767728b2dc02cc
Opcode Fuzzy Hash: f9c12bba2f1786b10f4a33b21ee5144f59fe2db76897d635298e367e9cb7c6f3
Instruction Fuzzy Hash: EF4114B5E002699FCB10CFA9D884A9EBBF5BF48314F14802AE919EB350D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 061E7A0D Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7e37a380a04d4c0d534ba6d1d7ff6bb6f6ff32627359128d8924c47771d43726
Instruction ID: dd49366d9439c90f4851a2372e0b74c3a9f5dcf09b96f13805bd325b669c03b7
Opcode Fuzzy Hash: 7e37a380a04d4c0d534ba6d1d7ff6bb6f6ff32627359128d8924c47771d43726
Instruction Fuzzy Hash: 8551B634902268CFDBA9EF30D88869DB7B2FF49306F5045E9D50AA6290DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06825B67 Relevance: 1.6, APIs: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06825C24

Memory Dump Source

Source File: 00000006.00000002.523188959.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_MSBuild.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6745d7d29ff34631cbec6cb92e2a964ee1900642aacaa7707605485ce3169454
Instruction ID: 16ffba34afa98ed622d83ea72fbdb441a57d982b8e58ea9f3240063ecf1d0b9f
Opcode Fuzzy Hash: 6745d7d29ff34631cbec6cb92e2a964ee1900642aacaa7707605485ce3169454
Instruction Fuzzy Hash: 544178B0D002999FDB10CFA9C584A8EFFF5BF08314F28856AD809AB301D3749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 061E7A4B Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dd4dd23aa8c446d191b0dafbc406d50b2b79eab994ce1797afdcc06e4bde8ea0
Instruction ID: 263d10b24dd67abe61f5d070575cc1dab26685ea5738ced28883099b4cd46f3d
Opcode Fuzzy Hash: dd4dd23aa8c446d191b0dafbc406d50b2b79eab994ce1797afdcc06e4bde8ea0
Instruction Fuzzy Hash: 4F51B534A02268CFDBA9EF30D88869DB7B2FF49306F1045E9D50AA2240DB359EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06825B21 Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06825C24

Memory Dump Source

Source File: 00000006.00000002.523188959.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_MSBuild.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b962e153a36a6e19b58c9eeb7012ce245338ff82ebea77822e76ce1c4fe3dec4
Instruction ID: 7299dfccfd18853c9bdaa06becd9ee0d7f5ca91a1477eaee5a588da23c400b3b
Opcode Fuzzy Hash: b962e153a36a6e19b58c9eeb7012ce245338ff82ebea77822e76ce1c4fe3dec4
Instruction Fuzzy Hash: 77414770E0435A8FDB00CF98C548B9EFBF1AF48314F28C56AE409AB351D7799985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0159C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0159C9BA

Memory Dump Source

Source File: 00000006.00000002.511312979.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1590000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 84b275ca8f8d8065cd2a9d2b44d2367de77d7098bee0f9f96e374174626399fd
Instruction ID: 10f7aeb8a74ecb1572d45f3354a35a213706b68eec55f2678fc5fe955b00485d
Opcode Fuzzy Hash: 84b275ca8f8d8065cd2a9d2b44d2367de77d7098bee0f9f96e374174626399fd
Instruction Fuzzy Hash: EA3125B1D002498FDF14CFA8C98579EBFB1BB09314F14852EE855AB380D7789485CF96

Uniqueness

Uniqueness Score: -1.00%

Function 01599DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0159C9BA

Memory Dump Source

Source File: 00000006.00000002.511312979.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1590000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 34a4377d51346d9a100d0857db35091173e41174f6aad4474c4dc0ac618d6f95
Instruction ID: d73805d73e53a68ad84ad934f6280c91bd82f1317b983b966e4fe654b8c83a40
Opcode Fuzzy Hash: 34a4377d51346d9a100d0857db35091173e41174f6aad4474c4dc0ac618d6f95
Instruction Fuzzy Hash: 2A3116B1D102499FDF14CFA9C98579EBBF1BB09314F14852DE815AB380D778A881CF96

Uniqueness

Uniqueness Score: -1.00%

Function 061E7A95 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6286358657f0a5b57bf9fed7f6194daf06a56b5de7803534458ff411827a0eda
Instruction ID: 2edc4683798700c764ed5a33c628d3a4e18e34225913f9450ddbd363ec351ec3
Opcode Fuzzy Hash: 6286358657f0a5b57bf9fed7f6194daf06a56b5de7803534458ff411827a0eda
Instruction Fuzzy Hash: 3C41C634A02259CFDBA9EF30D88869DB7B2FF49306F5045E9D50A96250CB359EC1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06825E28 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06825EE1

Memory Dump Source

Source File: 00000006.00000002.523188959.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_MSBuild.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 168ea3ff063429f5d8f3b74213ab8cb7021db379bfc246e9322fbe2859ddb773
Instruction ID: 4a4bc11f9051bba5e95bc9436501e6029099d7c48352cb9d8bcdabd2ab4c36be
Opcode Fuzzy Hash: 168ea3ff063429f5d8f3b74213ab8cb7021db379bfc246e9322fbe2859ddb773
Instruction Fuzzy Hash: B831E2B5D002699FCB10CFAAD884ACEBBF5BF48354F54802AE919EB310D7749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 061E7AD3 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13779ef897f0e941328023e4578ed7ec0bf699aeb553b1caba5f5de18339bf98
Instruction ID: a05a88169290378861eb186a164dba87469f16db96c89100e9ed891a3301de39
Opcode Fuzzy Hash: 13779ef897f0e941328023e4578ed7ec0bf699aeb553b1caba5f5de18339bf98
Instruction Fuzzy Hash: C141B534A02258CFDBA5EF30D88869DB7B2FF49306F6045E9D54AA6250CB359EC1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06825B70 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06825C24

Memory Dump Source

Source File: 00000006.00000002.523188959.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_MSBuild.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9832db6206116c5fcbeccb23bd9f979342cc858c744fc106cfc334c1a16ab816
Instruction ID: 826ffbfacd63c8fbddf14b53ebb07d36f557507b95da6c08a774e643ab978f30
Opcode Fuzzy Hash: 9832db6206116c5fcbeccb23bd9f979342cc858c744fc106cfc334c1a16ab816
Instruction Fuzzy Hash: F431F0B1D002599FDB10CF99C584A8EFFF5BF48314F28816AE809AB310D7759985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 061E7B11 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aeb5caa2d5c2f66ce3991d12747fa343046da575e17c808bc13bc14b7555aff5
Instruction ID: 08491c1399bb2772c2da0bb609595bee91fb4a984a014a493e847ff4f19134b8
Opcode Fuzzy Hash: aeb5caa2d5c2f66ce3991d12747fa343046da575e17c808bc13bc14b7555aff5
Instruction Fuzzy Hash: D0419534A02269CFDB65EF30D88869DB7B2FF49306F5045EAD54AA6240CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 061E7B5B Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1cc147e78aa26351d513ea2fc5d65c4e83bfc77757561b8dcd77ec8671bec525
Instruction ID: 873139baa3b79625a41ff5ad33ed181d2d90a9a4336d14fcb2c361a90f2f4c74
Opcode Fuzzy Hash: 1cc147e78aa26351d513ea2fc5d65c4e83bfc77757561b8dcd77ec8671bec525
Instruction Fuzzy Hash: EF31B634A02269CFDB65EF30D88869DB7B2FF49306F5045EAD54AA6340CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 069BC4EC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,069BCA4E,?,?,?,?,?), ref: 069BCB0F

Memory Dump Source

Source File: 00000006.00000002.523442817.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_69b0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d36594082458f6c3736bae1da36362dfddfc6d4abccf1a0088f72e13a7f4a177
Instruction ID: f02efc2aca90ea8ca664dc5866641ae6206df44d41a21231087e6d147d2fffed
Opcode Fuzzy Hash: d36594082458f6c3736bae1da36362dfddfc6d4abccf1a0088f72e13a7f4a177
Instruction Fuzzy Hash: 0321E4B5D00218DFDB10CFA9D984ADEBBF8EB58364F14841AE914B7710D374A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 061E7BA5 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8f33ca990e55ebdf0695ac15932c3b1256fbfcaaf9204a1715c8d5420c35de3d
Instruction ID: 7800479c4fec2bac4e850107814f8763c9f298e2438b755fd5b5118fe8030332
Opcode Fuzzy Hash: 8f33ca990e55ebdf0695ac15932c3b1256fbfcaaf9204a1715c8d5420c35de3d
Instruction Fuzzy Hash: 4131C874A02259CFDB65EF20D88969DB7B6FF4A306F1045EAD50AA2240CB359E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01594CB9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01594D42

Memory Dump Source

Source File: 00000006.00000002.511312979.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1590000_MSBuild.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3409eb94fac050590947c4584957290571c293e230d2dae915adfe2e014f7fda
Instruction ID: d2b772c3ca8cc4be0d23e093f5f610f67d497b24abc8af96210cde2890edaef5
Opcode Fuzzy Hash: 3409eb94fac050590947c4584957290571c293e230d2dae915adfe2e014f7fda
Instruction Fuzzy Hash: F121ACB59003458FDF50DFA8D64939EBBF4FB09318F24846AD809E7640DB785986CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 061E7BEF Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 782def2bef02a68af8576fd8dea431d99f265038d9184f0b408c2bde784f9672
Instruction ID: 775f4a020624ff9881e8666b4404fbc884128056eea38d09e7ec7d3167485904
Opcode Fuzzy Hash: 782def2bef02a68af8576fd8dea431d99f265038d9184f0b408c2bde784f9672
Instruction Fuzzy Hash: 1C21D834A02258CFDB65EF20D88869DB7B6FF49306F1045EAD54AA2240CB359EC1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069B6654 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069B80D2), ref: 069B81BF

Memory Dump Source

Source File: 00000006.00000002.523442817.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_69b0000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 06604dd4f7b97e7d77850ac6acb01b7cf2dda8629e3a342c808217f0a330249e
Instruction ID: d7eb064d42682abaa3137b8667dd09f4c92169e4ce846029015cb85a7f0820d1
Opcode Fuzzy Hash: 06604dd4f7b97e7d77850ac6acb01b7cf2dda8629e3a342c808217f0a330249e
Instruction Fuzzy Hash: 1F1103B1D006599BCB10DF9AC9447DEFBF8EB48224F14856AD828B7740D378A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 01594CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01594D42

Memory Dump Source

Source File: 00000006.00000002.511312979.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1590000_MSBuild.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 22a616806122337c14baabd67ce217a7e0c36df32712f021648ab9f2debb2064
Instruction ID: 984c631ec92b1df9f6b6f3d7f211fcbc705210ca85a4737f611c543af0785c87
Opcode Fuzzy Hash: 22a616806122337c14baabd67ce217a7e0c36df32712f021648ab9f2debb2064
Instruction Fuzzy Hash: 0D1189B49003458FCF50DFA9D64879EBFF4FB09314F108429D805A7640DB786986CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 061E7C39 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cf401be44b1affd6190f4fccdf6f13b20b8dd24663b658c8d44ff05a2566b75b
Instruction ID: 78184806acd9d8d6ea3f3b9187b949a84241ec784c98b96328b2af9e1d7099d1
Opcode Fuzzy Hash: cf401be44b1affd6190f4fccdf6f13b20b8dd24663b658c8d44ff05a2566b75b
Instruction Fuzzy Hash: 01210A34A02258CFDB65EF30D88969DB7B6FF49307F1044EAD54A96240CB359E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 061E7C77 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 465fcf01c04be4de153b856713d24c44880f365feba04820c76e5b34bbf6961a
Instruction ID: 8abdd41120427ee617658a3e0324dc3d8c8f6b6a4c03dbcde43bdda1a62ca0ac
Opcode Fuzzy Hash: 465fcf01c04be4de153b856713d24c44880f365feba04820c76e5b34bbf6961a
Instruction Fuzzy Hash: 0511F834A01268CFDB65EF20D88869DB7B6FF49306F1005EAD54AA6240CB349E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 061E7CC1 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061E7CEA

Memory Dump Source

Source File: 00000006.00000002.522576829.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_61e0000_MSBuild.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ffa98f6fcf9269398ecd243c8ccba095931c1320137ba2018e21f7037caa0b65
Instruction ID: dfcd1f5cc7ac65a1f0530c15de738fc5670963e3cf09f0d1479195445585b5ef
Opcode Fuzzy Hash: ffa98f6fcf9269398ecd243c8ccba095931c1320137ba2018e21f7037caa0b65
Instruction Fuzzy Hash: 3601ED34A01259CFDB64DF20D88869DB7B1FF45306F1045EAD54997240CB349E81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0153D9B5 Relevance: 1.1, Instructions: 1144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.511013596.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_153d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475a2e660a095167dead79f30f11836cebaa6f283f0ec24228f73952f2528010
Instruction ID: 584def8ff7973ad0448b56e1e60e585eaaa0aecd402f4c2f844b67a54a7210bf
Opcode Fuzzy Hash: 475a2e660a095167dead79f30f11836cebaa6f283f0ec24228f73952f2528010
Instruction Fuzzy Hash: 7742077244E7C04FD7638B748C627827FB0AF53224F1A80EBC885CE6A3D56D595AC726

Uniqueness

Uniqueness Score: -1.00%

Function 0153DA00 Relevance: 1.1, Instructions: 1058COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.511013596.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_153d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e78d7293632e58c960c1b6af76fa6af7893af84ee08ef295efbc5dd1931ac8b
Instruction ID: 5b62eab08be092eb50c60f9f750fca37c47162f65d90f92eb0a39eadb94dfa82
Opcode Fuzzy Hash: 5e78d7293632e58c960c1b6af76fa6af7893af84ee08ef295efbc5dd1931ac8b
Instruction Fuzzy Hash: 4732197244E7C04FD7638B74CC627827FB0AF53225F1A80EBC885CE6A3D569594AC726

Uniqueness

Uniqueness Score: -1.00%

Function 0152D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.510888605.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f71e87276ca95326e0428e35a3dd097d885802e9d6cd539032f8bf90718e4f
Instruction ID: 10e3b047b25b5ac1c0e3a26bdf0dec05699628a119b3d30edc358d31db50c0ac
Opcode Fuzzy Hash: e8f71e87276ca95326e0428e35a3dd097d885802e9d6cd539032f8bf90718e4f
Instruction Fuzzy Hash: 9A212572604240DFDB05CF54D9C0B5ABFB5FB89328F248569E8050F686C376D85ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.510888605.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd8a7a280df8f5bf9f5f76be26c3cf5e5134af1524968e00178f7cf351f64d6
Instruction ID: dc7c18d6c113e24c90d50fe9e3806ee4ee91139ff0d18c45366d1ff9ee3811f7
Opcode Fuzzy Hash: ffd8a7a280df8f5bf9f5f76be26c3cf5e5134af1524968e00178f7cf351f64d6
Instruction Fuzzy Hash: D4210372504240EFDB05DF54D9C0BAABBB5FB89324F24C969E8090F686C376E856C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0153E3DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.511013596.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_153d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181324d71ce802fecb4f579919b947bacc42cb8d67fab2e9256e1c223b98fb13
Instruction ID: aff3c7c02e788c8f3a75990457c143f1a006097226f4a0c8566af66d143480b1
Opcode Fuzzy Hash: 181324d71ce802fecb4f579919b947bacc42cb8d67fab2e9256e1c223b98fb13
Instruction Fuzzy Hash: 7521F275504240EFDB05DF14D9C5B1ABBE5FB88228F24C96DE9094F746C33AD84ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.510888605.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: ffef5b50648c1d4b0fe280e491ffe083249955182f35125deb877d6ddaf22e89
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 5C11D376504280CFDB12CF54D5C4B1ABF71FB85324F2486A9D8054F656C33AD556CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.510888605.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_152d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 325336caeb1490feb3dc6204def1ae9227374be6e56714f4085abaa27c9875bb
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 6511B176404280DFCB02CF54D5C4B5ABF72FB85324F24C6A9D8080B656C33AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BANK DATAILS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK DATAILS.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
BANK DATAILS.exe

Function 00F44A10 Relevance: 4.1, Strings: 3, Instructions: 369
COMMON

Function 00F44A06 Relevance: 2.9, Strings: 2, Instructions: 353
COMMON

Function 00F49CC8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196
COMMON

Function 00F4AA2C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00F4C5D9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00F4A128 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Function 00F49048 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00F49EA8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 061E70A7 Relevance: 3.3, APIs: 2, Instructions: 344
COMMON

Function 061E7090 Relevance: 3.3, APIs: 2, Instructions: 343
COMMON

Function 061E70E4 Relevance: 3.3, APIs: 2, Instructions: 338
COMMON

Function 061E7121 Relevance: 3.3, APIs: 2, Instructions: 332
COMMON

Function 061E715E Relevance: 3.3, APIs: 2, Instructions: 326
COMMON

Function 061E71A5 Relevance: 3.3, APIs: 2, Instructions: 319
COMMON