Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BANK DATAILS.exe

Overview

General Information

Sample Name:BANK DATAILS.exe
Analysis ID:679255
MD5:9c8721d5f0dfcb5893766810fc016b1b
SHA1:097e2d6bd75f55fee4ba991696d15bbd0f73137f
SHA256:22083794e761ae3e2fb684244ddadba8353b0dc25549d9591dbbd118dde52054
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • BANK DATAILS.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\BANK DATAILS.exe" MD5: 9C8721D5F0DFCB5893766810FC016B1B)
    • MSBuild.exe (PID: 916 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
    • MSBuild.exe (PID: 5676 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
    • MSBuild.exe (PID: 2908 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "quality@keeprojects.in", "Password": "quality#@!", "Host": "webmail.keeprojects.in"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30097:$a13: get_DnsResolver
      • 0x2e899:$a20: get_LastAccessed
      • 0x30a15:$a27: set_InternalServerPort
      • 0x30d31:$a30: set_GuidMasterKey
      • 0x2e9a0:$a33: get_Clipboard
      • 0x2e9ae:$a34: get_Keyboard
      • 0x2fcb2:$a35: get_ShiftKeyDown
      • 0x2fcc3:$a36: get_AltKeyDown
      • 0x2e9bb:$a37: get_Password
      • 0x2f462:$a38: get_PasswordHash
      • 0x30497:$a39: get_DefaultCredentials
      00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.BANK DATAILS.exe.3b41a00.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.BANK DATAILS.exe.3b41a00.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.BANK DATAILS.exe.3b41a00.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30d6c:$s10: logins
              • 0x307d3:$s11: credential
              • 0x2cda0:$g1: get_Clipboard
              • 0x2cdae:$g2: get_Keyboard
              • 0x2cdbb:$g3: get_Password
              • 0x2e0a2:$g4: get_CtrlKeyDown
              • 0x2e0b2:$g5: get_ShiftKeyDown
              • 0x2e0c3:$g6: get_AltKeyDown
              0.2.BANK DATAILS.exe.3b41a00.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e497:$a13: get_DnsResolver
              • 0x2cc99:$a20: get_LastAccessed
              • 0x2ee15:$a27: set_InternalServerPort
              • 0x2f131:$a30: set_GuidMasterKey
              • 0x2cda0:$a33: get_Clipboard
              • 0x2cdae:$a34: get_Keyboard
              • 0x2e0b2:$a35: get_ShiftKeyDown
              • 0x2e0c3:$a36: get_AltKeyDown
              • 0x2cdbb:$a37: get_Password
              • 0x2d862:$a38: get_PasswordHash
              • 0x2e897:$a39: get_DefaultCredentials
              6.0.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 11 entries

                Sigma Signatures

                Networking

                barindex
                Sigma detected: MSBuild connects to smtp port
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.195.185.58, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2908, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49737

                Snort Signatures

                Timestamp:192.168.2.3103.195.185.58497375872839723 08/05/22-13:24:47.100821
                SID:2839723
                Source Port:49737
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3103.195.185.58497375872851779 08/05/22-13:24:47.100944
                SID:2851779
                Source Port:49737
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3103.195.185.58497375872840032 08/05/22-13:24:47.100944
                SID:2840032
                Source Port:49737
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3103.195.185.58497375872030171 08/05/22-13:24:47.100821
                SID:2030171
                Source Port:49737
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: BANK DATAILS.exeVirustotal: Detection: 54%Perma Link
                Source: BANK DATAILS.exeReversingLabs: Detection: 35%
                Multi AV Scanner detection for domain / URL
                Source: webmail.keeprojects.inVirustotal: Detection: 6%Perma Link
                Machine Learning detection for sample
                Source: BANK DATAILS.exeJoe Sandbox ML: detected
                Source: 6.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 6.0.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "quality@keeprojects.in", "Password": "quality#@!", "Host": "webmail.keeprojects.in"}
                Source: BANK DATAILS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: BANK DATAILS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49737 -> 103.195.185.58:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49737 -> 103.195.185.58:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49737 -> 103.195.185.58:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49737 -> 103.195.185.58:587
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: Joe Sandbox ViewIP Address: 103.195.185.58 103.195.185.58
                Source: global trafficTCP traffic: 192.168.2.3:49737 -> 103.195.185.58:587
                Source: global trafficTCP traffic: 192.168.2.3:49737 -> 103.195.185.58:587
                Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nhEGCU.com
                Source: BANK DATAILS.exeString found in binary or memory: http://tempuri.org/MyCollectionDataSet.xsd
                Source: MSBuild.exe, 00000006.00000002.517794131.0000000003383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://webmail.keeprojects.in
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/de
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: BANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: BANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253575573.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253540774.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253620821.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFHs
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comI.TTFds
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomdms
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdv
                Source: BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comede
                Source: BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                Source: BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                Source: BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comldom
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtto
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245874250.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245858860.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245884516.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245841440.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: BANK DATAILS.exe, 00000000.00000003.249079298.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.c
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
                Source: BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/TDhB
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-n
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: BANK DATAILS.exe, 00000000.00000003.245996369.0000000005923000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245926609.0000000005922000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245609029.0000000005923000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krB
                Source: BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krdq
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: BANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com&Q
                Source: BANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comaQ
                Source: BANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comc
                Source: BANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comh
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deyq
                Source: BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://X837hbNl7u614NNf6o.net
                Source: MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: webmail.keeprojects.in

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 6.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b72ADB0BDu002dE6D8u002d456Cu002dB710u002dD9724B0D01CBu007d/ADCCF321u002d56D8u002d41E2u002dB0A6u002d436B52B63111.csLarge array initialization: .cctor: array initializer size 11618
                Source: BANK DATAILS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                Source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\BANK DATAILS.exeCode function: 0_2_00F44A10
                Source: C:\Users\user\Desktop\BANK DATAILS.exeCode function: 0_2_00F4C4B4
                Source: C:\Users\user\Desktop\BANK DATAILS.exeCode function: 0_2_00F44A06
                Source: C:\Users\user\Desktop\BANK DATAILS.exeCode function: 0_2_00F4ED60
                Source: C:\Users\user\Desktop\BANK DATAILS.exeCode function: 0_2_00F4ED50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0159F080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0159F3C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_01596120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061EB730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061EC480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061E1FF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06824EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068266C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0682C7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0682EBB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0682E020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068232A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06821D28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_069B4040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_069B1CD8
                Source: BANK DATAILS.exe, 00000000.00000000.241417077.0000000000598000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerQooZu.exe: vs BANK DATAILS.exe
                Source: BANK DATAILS.exe, 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BANK DATAILS.exe
                Source: BANK DATAILS.exe, 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBoluxvACLLYUDPsbdXzoAMGZzttgGVPry.exe4 vs BANK DATAILS.exe
                Source: BANK DATAILS.exe, 00000000.00000002.296493208.0000000002EDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BANK DATAILS.exe
                Source: BANK DATAILS.exe, 00000000.00000002.290109071.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs BANK DATAILS.exe
                Source: BANK DATAILS.exe, 00000000.00000002.290109071.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBoluxvACLLYUDPsbdXzoAMGZzttgGVPry.exe4 vs BANK DATAILS.exe
                Source: BANK DATAILS.exe, 00000000.00000002.304934354.00000000072E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs BANK DATAILS.exe
                Source: BANK DATAILS.exeBinary or memory string: OriginalFilenamerQooZu.exe: vs BANK DATAILS.exe
                Source: BANK DATAILS.exeVirustotal: Detection: 54%
                Source: BANK DATAILS.exeReversingLabs: Detection: 35%
                Source: BANK DATAILS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\BANK DATAILS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\BANK DATAILS.exe "C:\Users\user\Desktop\BANK DATAILS.exe"
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\BANK DATAILS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK DATAILS.exe.logJump to behavior
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@7/1@1/2
                Source: BANK DATAILS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\BANK DATAILS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: 6.0.MSBuild.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 6.0.MSBuild.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK DATAILS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: BANK DATAILS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: BANK DATAILS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\BANK DATAILS.exeCode function: 0_2_00F40015 push esp; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061E9770 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061E3139 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_061EF1C8 push esp; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068232A8 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0682178F push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0682179B push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068217EB push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06821753 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068218AF push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068218B3 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068240B1 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06821CCA push 10061CCFh; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06821817 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_0682181B push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06821867 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_068241D9 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_06824149 push es; iretd
                Source: initial sampleStatic PE information: section name: .text entropy: 6.9916083972247
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\BANK DATAILS.exe TID: 5416Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5924Thread sleep time: -14757395258967632s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5960Thread sleep count: 9701 > 30
                Source: C:\Users\user\Desktop\BANK DATAILS.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9701
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: MSBuild.exe, 00000006.00000002.522911178.00000000064DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000003.326970071.00000000064CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj[[$
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: BANK DATAILS.exe, 00000000.00000002.292195714.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_069B5488 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\BANK DATAILS.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Users\user\Desktop\BANK DATAILS.exe VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\BANK DATAILS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: Yara matchFile source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.BANK DATAILS.exe.3b41a00.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK DATAILS.exe.3b41a00.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK DATAILS.exe.3a60980.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK DATAILS.exe PID: 5276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2908, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception11
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Credentials in Registry                		1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items2
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BANK DATAILS.exe55%VirustotalBrowse
                BANK DATAILS.exe35%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
                BANK DATAILS.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                webmail.keeprojects.in7%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://webmail.keeprojects.in0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.comcomdms0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                https://X837hbNl7u614NNf6o.net0%Avira URL Cloudsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.fontbureau.comldom0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.fontbureau.comgrita0%URL Reputationsafe
                http://www.founder.com.cn/cn/TDhB0%Avira URL Cloudsafe
                http://www.tiro.com&Q0%Avira URL Cloudsafe
                http://tempuri.org/MyCollectionDataSet.xsd0%Avira URL Cloudsafe
                http://nhEGCU.com0%Avira URL Cloudsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.comgrito0%URL Reputationsafe
                http://www.fontbureau.comtto0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sandoll.co.krB0%Avira URL Cloudsafe
                http://www.fontbureau.comFHs0%Avira URL Cloudsafe
                http://www.fontbureau.comI.TTFds0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnl-n0%URL Reputationsafe
                http://www.fontbureau.comdv0%Avira URL Cloudsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.sandoll.co.krdq0%Avira URL Cloudsafe
                http://www.founder.com.c0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.comaQ0%Avira URL Cloudsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn.0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.urwpp.deyq0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.fontbureau.como0%URL Reputationsafe
                http://www.fontbureau.comals0%URL Reputationsafe
                http://www.fontbureau.comede0%Avira URL Cloudsafe
                http://www.tiro.comh0%URL Reputationsafe
                http://www.tiro.comc0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webmail.keeprojects.in
                		103.195.185.58
                		truetrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersGBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://webmail.keeprojects.inMSBuild.exe, 00000006.00000002.517794131.0000000003383000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comcomdmsBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://X837hbNl7u614NNf6o.netMSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comldomBANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comBANK DATAILS.exe, 00000000.00000003.245996369.0000000005923000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245926609.0000000005922000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245609029.0000000005923000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comgritaBANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/TDhBBANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.com&QBANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.246417212.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://tempuri.org/MyCollectionDataSet.xsdBANK DATAILS.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nhEGCU.comMSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.comcomBANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiMSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comgritoBANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comttoBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245874250.000000000591B000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245858860.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245884516.0000000005924000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.245841440.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krBBANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comFHsBANK DATAILS.exe, 00000000.00000003.253363943.000000000590A000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comI.TTFdsBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cnl-nBANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/deBANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comdvBANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.287367631.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comFBANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krdqBANK DATAILS.exe, 00000000.00000003.248046779.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cBANK DATAILS.exe, 00000000.00000003.249079298.0000000005909000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwMSBuild.exe, 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.tiro.comaQBANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmleBANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253575573.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253540774.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253620821.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comdBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/BANK DATAILS.exe, 00000000.00000003.249073188.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn.BANK DATAILS.exe, 00000000.00000003.248813527.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.248786545.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlBANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/cabarga.htmlBANK DATAILS.exe, 00000000.00000003.253469560.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253525233.000000000593D000.00000004.00000800.00020000.00000000.sdmp, BANK DATAILS.exe, 00000000.00000003.253493892.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.urwpp.deyqBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comoBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8BANK DATAILS.exe, 00000000.00000002.301969282.0000000006B92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comalsBANK DATAILS.exe, 00000000.00000003.254055255.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comedeBANK DATAILS.exe, 00000000.00000003.253039302.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiro.comhBANK DATAILS.exe, 00000000.00000003.246280740.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comcBANK DATAILS.exe, 00000000.00000003.246434562.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          103.195.185.58
                                          		webmail.keeprojects.inIndia
                                          		394695PUBLIC-DOMAIN-REGISTRYUStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:35.0.0 Citrine
                                          Analysis ID:679255
                                          Start date and time: 05/08/202213:23:062022-08-05 13:23:06 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 30s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:BANK DATAILS.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:30
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.spre.troj.spyw.evad.winEXE@7/1@1/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Adjust boot time
                                          • Enable AMSI

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          13:24:18API Interceptor1x Sleep call for process: BANK DATAILS.exe modified
                                          13:24:30API Interceptor678x Sleep call for process: MSBuild.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK DATAILS.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\BANK DATAILS.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.984069886555404
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:BANK DATAILS.exe
                                          File size:845312
                                          MD5:9c8721d5f0dfcb5893766810fc016b1b
                                          SHA1:097e2d6bd75f55fee4ba991696d15bbd0f73137f
                                          SHA256:22083794e761ae3e2fb684244ddadba8353b0dc25549d9591dbbd118dde52054
                                          SHA512:83e9bd28a1ff90448cd029742dcf3dfea760ed70112ab85e840c661c053d59531f521e3d09a49c545cc7dc26b7bfc76d106e0bb3692b88c64c4f03acbe6177fa
                                          SSDEEP:12288:OxjlkBIh6kLw/997uWi+bLtVo80FuYAMrovCSePuv:AsiAJJb3o8zsIh
                                          TLSH:1205AE0123D17519E23E4F7549E2D0709BB7ED279826E2EE2CC83D4FB77BA448952722
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..b..............P.............>.... ........@.. .......................@............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4cfd3e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x62ECC24C [Fri Aug 5 07:10:04 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xcfce80x53.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x390.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xcdd440xcde00False0.6690407748937462data6.9916083972247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xd00000x3900x400False0.3828125data2.893537260945271IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xd20000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xd00580x334data

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          192.168.2.3103.195.185.58497375872839723 08/05/22-13:24:47.100821TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49737587192.168.2.3103.195.185.58
                                          192.168.2.3103.195.185.58497375872851779 08/05/22-13:24:47.100944TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49737587192.168.2.3103.195.185.58
                                          192.168.2.3103.195.185.58497375872840032 08/05/22-13:24:47.100944TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249737587192.168.2.3103.195.185.58
                                          192.168.2.3103.195.185.58497375872030171 08/05/22-13:24:47.100821TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49737587192.168.2.3103.195.185.58

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 5, 2022 13:24:44.522775888 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:44.658198118 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:44.658328056 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:45.731394053 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:45.731714964 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:45.869232893 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:45.870805979 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:46.004103899 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:46.019043922 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:46.192163944 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:46.662942886 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:46.663623095 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:46.796436071 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:46.796494007 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:46.796808004 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:46.966094017 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:46.966377974 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:47.099303961 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:47.099961996 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:47.100821018 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:47.100944042 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:47.101768017 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:47.101867914 CEST49737587192.168.2.3103.195.185.58
                                          Aug 5, 2022 13:24:47.235477924 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:47.235764980 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:47.241832972 CEST58749737103.195.185.58192.168.2.3
                                          Aug 5, 2022 13:24:47.358130932 CEST49737587192.168.2.3103.195.185.58

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 5, 2022 13:24:44.114614964 CEST5820453192.168.2.38.8.8.8
                                          Aug 5, 2022 13:24:44.500737906 CEST53582048.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Aug 5, 2022 13:24:44.114614964 CEST192.168.2.38.8.8.80xa87cStandard query (0)webmail.keeprojects.inA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Aug 5, 2022 13:24:44.500737906 CEST8.8.8.8192.168.2.30xa87cNo error (0)webmail.keeprojects.in103.195.185.58A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Aug 5, 2022 13:24:45.731394053 CEST58749737103.195.185.58192.168.2.3220-md-in-88.webhostbox.net ESMTP Exim 4.95 #2 Fri, 05 Aug 2022 11:24:45 +0000
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Aug 5, 2022 13:24:45.731714964 CEST49737587192.168.2.3103.195.185.58EHLO 813435
                                          Aug 5, 2022 13:24:45.869232893 CEST58749737103.195.185.58192.168.2.3250-md-in-88.webhostbox.net Hello 813435 [102.129.143.3]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          Aug 5, 2022 13:24:45.870805979 CEST49737587192.168.2.3103.195.185.58AUTH login cXVhbGl0eUBrZWVwcm9qZWN0cy5pbg==
                                          Aug 5, 2022 13:24:46.004103899 CEST58749737103.195.185.58192.168.2.3334 UGFzc3dvcmQ6
                                          Aug 5, 2022 13:24:46.662942886 CEST58749737103.195.185.58192.168.2.3235 Authentication succeeded
                                          Aug 5, 2022 13:24:46.663623095 CEST49737587192.168.2.3103.195.185.58MAIL FROM:<quality@keeprojects.in>
                                          Aug 5, 2022 13:24:46.796494007 CEST58749737103.195.185.58192.168.2.3250 OK
                                          Aug 5, 2022 13:24:46.796808004 CEST49737587192.168.2.3103.195.185.58RCPT TO:<uuc7470@gmail.com>
                                          Aug 5, 2022 13:24:46.966094017 CEST58749737103.195.185.58192.168.2.3250 Accepted
                                          Aug 5, 2022 13:24:46.966377974 CEST49737587192.168.2.3103.195.185.58DATA
                                          Aug 5, 2022 13:24:47.099961996 CEST58749737103.195.185.58192.168.2.3354 Enter message, ending with "." on a line by itself
                                          Aug 5, 2022 13:24:47.101867914 CEST49737587192.168.2.3103.195.185.58.
                                          Aug 5, 2022 13:24:47.241832972 CEST58749737103.195.185.58192.168.2.3250 OK id=1oJvRf-004L0Y-0K

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:13:24:06
                                          Start date:05/08/2022
                                          Path:C:\Users\user\Desktop\BANK DATAILS.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\BANK DATAILS.exe"
                                          Imagebase:0x550000
                                          File size:845312 bytes
                                          MD5 hash:9C8721D5F0DFCB5893766810FC016B1B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.297108286.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          General

                                          Target ID:4
                                          Start time:13:24:24
                                          Start date:05/08/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x3a0000
                                          File size:261728 bytes
                                          MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:5
                                          Start time:13:24:25
                                          Start date:05/08/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x2c0000
                                          File size:261728 bytes
                                          MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:6
                                          Start time:13:24:26
                                          Start date:05/08/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0xd20000
                                          File size:261728 bytes
                                          MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.285343861.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.512007583.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high

                                          Disassembly

                                          No disassembly