Loading ...

Play interactive tourEdit tour

Analysis Report ORDER.exe

Overview

General Information

Sample Name:ORDER.exe
Analysis ID:321193
MD5:bb942c948639f5c88fb33d5e4b7d7728
SHA1:3cf9d798266aacc9bfdaf1c2d0a5eda2b6d069ea
SHA256:5cfd185a582c4a6811966fb1585769fa8c17d67a969c72e1135f8de537d106d4
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ORDER.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\ORDER.exe' MD5: BB942C948639F5C88FB33D5E4B7D7728)
    • schtasks.exe (PID: 6728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER.exe (PID: 6876 cmdline: {path} MD5: BB942C948639F5C88FB33D5E4B7D7728)
  • kprUEGC.exe (PID: 5608 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: BB942C948639F5C88FB33D5E4B7D7728)
    • schtasks.exe (PID: 5856 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kprUEGC.exe (PID: 4928 cmdline: {path} MD5: BB942C948639F5C88FB33D5E4B7D7728)
  • kprUEGC.exe (PID: 6300 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: BB942C948639F5C88FB33D5E4B7D7728)
    • schtasks.exe (PID: 6816 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kprUEGC.exe (PID: 6648 cmdline: {path} MD5: BB942C948639F5C88FB33D5E4B7D7728)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "v8tgTH", "URL: ": "https://5PX8nQFyXZqeL8oi.com", "To: ": "weavingacc1@vasudeva.in", "ByHost: ": "mail.vasudeva.in:587", "Password: ": "UIewNIwYLjFr", "From: ": "weavingacc1@vasudeva.in"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.935335032.0000000003724000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.ORDER.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              17.2.kprUEGC.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                13.2.kprUEGC.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER.exe' , ParentImage: C:\Users\user\Desktop\ORDER.exe, ParentProcessId: 6128, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp', ProcessId: 6728

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: ORDER.exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeAvira: detection malicious, Label: TR/Kryptik.lesvd
                  Source: C:\Users\user\AppData\Roaming\SpHLicuA.exeAvira: detection malicious, Label: TR/Kryptik.lesvd
                  Found malware configurationShow sources
                  Source: ORDER.exe.6876.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "v8tgTH", "URL: ": "https://5PX8nQFyXZqeL8oi.com", "To: ": "weavingacc1@vasudeva.in", "ByHost: ": "mail.vasudeva.in:587", "Password: ": "UIewNIwYLjFr", "From: ": "weavingacc1@vasudeva.in"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\SpHLicuA.exeReversingLabs: Detection: 66%
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 66%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: ORDER.exeVirustotal: Detection: 65%Perma Link
                  Source: ORDER.exeReversingLabs: Detection: 66%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\SpHLicuA.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: ORDER.exeJoe Sandbox ML: detected
                  Source: 3.2.ORDER.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 17.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 13.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 4x nop then jmp 054F824Dh0_2_054F81C7
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 4x nop then jmp 054F824Dh0_2_054F81D8
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 4x nop then jmp 06F0465Fh0_2_06F0388C
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 4x nop then jmp 067E465Fh14_2_067E388C

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49766 -> 68.233.236.158:587
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.4:49766 -> 68.233.236.158:587
                  Source: Joe Sandbox ViewIP Address: 54.235.142.93 54.235.142.93
                  Source: Joe Sandbox ViewIP Address: 54.235.142.93 54.235.142.93
                  Source: Joe Sandbox ViewIP Address: 68.233.236.158 68.233.236.158
                  Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: global trafficTCP traffic: 192.168.2.4:49766 -> 68.233.236.158:587
                  Source: unknownDNS traffic detected: queries for: api.ipify.org
                  Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://RKhkfz.com
                  Source: ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: ORDER.exe, 00000003.00000002.935479787.0000000003788000.00000004.00000001.sdmpString found in binary or memory: http://mail.vasudeva.in
                  Source: ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.762688179.0000000002781000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: ORDER.exe, 00000003.00000002.935479787.0000000003788000.00000004.00000001.sdmpString found in binary or memory: http://vasudeva.in
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: ORDER.exe, 00000000.00000002.685971628.00000000010E7000.00000004.00000040.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: ORDER.exe, 00000000.00000002.685971628.00000000010E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: ORDER.exe, 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmpString found in binary or memory: https://5PX8nQFyXZqeL8oi.com
                  Source: ORDER.exe, 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmpString found in binary or memory: https://5PX8nQFyXZqeL8oi.com4
                  Source: ORDER.exe, 00000003.00000003.899825885.00000000015B4000.00000004.00000001.sdmpString found in binary or memory: https://5PX8nQFyXZqeL8oi.com853321935-2125563209-4053062332-1002_Classes
                  Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                  Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                  Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                  Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                  Source: ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: ORDER.exe, 00000000.00000002.685708534.0000000000D4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  Spam, unwanted Advertisements and Ransom Demands:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\ORDER.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: ORDER.exe
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_0299C1240_2_0299C124
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_0299E5700_2_0299E570
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_0299E5620_2_0299E562
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_054F81C70_2_054F81C7
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_054F81D80_2_054F81D8
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_054F43080_2_054F4308
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_054F43180_2_054F4318
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_054F53100_2_054F5310
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_06F0060B0_2_06F0060B
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_06F01F520_2_06F01F52
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_06F0388C0_2_06F0388C
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_06F01FC20_2_06F01FC2
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_06F0246F0_2_06F0246F
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_034147A03_2_034147A0
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_034146B03_2_034146B0
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_0341D6613_2_0341D661
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A426183_2_06A42618
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A4E7FC3_2_06A4E7FC
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A4CDA83_2_06A4CDA8
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A4AB783_2_06A4AB78
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A420203_2_06A42020
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A48FF83_2_06A48FF8
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A4DC783_2_06A4DC78
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06ED3DA83_2_06ED3DA8
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06EDA2783_2_06EDA278
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06ED12383_2_06ED1238
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06EDD2003_2_06EDD200
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06ED60503_2_06ED6050
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_0708A2283_2_0708A228
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_0708555C3_2_0708555C
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADC12410_2_00ADC124
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADE56110_2_00ADE561
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADE57010_2_00ADE570
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_02CC47A013_2_02CC47A0
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_02CC477F13_2_02CC477F
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_02CCD82013_2_02CCD820
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_009DC12414_2_009DC124
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_009DE57014_2_009DE570
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_009DE56114_2_009DE561
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E060B14_2_067E060B
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E1F5214_2_067E1F52
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E388C14_2_067E388C
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E1FC214_2_067E1FC2
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E246F14_2_067E246F
                  Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.685708534.0000000000D4A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.691400310.00000000073B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.691400310.00000000073B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXfhzKePuGoesTHRxzhWZClzMzrsKfKQYJFA.exe4 vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameND vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs ORDER.exe
                  Source: ORDER.exe, 00000000.00000002.691325272.0000000007350000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER.exe
                  Source: ORDER.exeBinary or memory string: OriginalFilename vs ORDER.exe
                  Source: ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXfhzKePuGoesTHRxzhWZClzMzrsKfKQYJFA.exe4 vs ORDER.exe
                  Source: ORDER.exe, 00000003.00000002.939417498.0000000005AE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs ORDER.exe
                  Source: ORDER.exe, 00000003.00000002.930745603.0000000000F52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameND vs ORDER.exe
                  Source: ORDER.exe, 00000003.00000002.939634582.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ORDER.exe
                  Source: ORDER.exe, 00000003.00000002.930959168.0000000001358000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER.exe
                  Source: ORDER.exe, 00000003.00000002.940329021.00000000070A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
                  Source: ORDER.exeBinary or memory string: OriginalFilenameND vs ORDER.exe
                  Source: ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: SpHLicuA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: kprUEGC.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@18/11@4/3
                  Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\SpHLicuA.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMutant created: \Sessions\1\BaseNamedObjects\SPwQGUGuJuZKtgTucV
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_01
                  Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFCB1.tmpJump to behavior
                  Source: ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: ORDER.exeVirustotal: Detection: 65%
                  Source: ORDER.exeReversingLabs: Detection: 66%
                  Source: C:\Users\user\Desktop\ORDER.exeFile read: C:\Users\user\Desktop\ORDER.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ORDER.exe 'C:\Users\user\Desktop\ORDER.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\Desktop\ORDER.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp'
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                  Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess created: C:\Users\user\Desktop\ORDER.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp'
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                  Source: C:\Users\user\Desktop\ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 0_2_00535F61 push es; retf 0_2_005360DA
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_00F55F61 push es; retf 3_2_00F560DA
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A45A68 push es; iretd 3_2_06A4657C
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A476BF push es; iretd 3_2_06A476FC
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A40EC1 push es; ret 3_2_06A41044
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A47E3F push edi; retn 0000h3_2_06A47E41
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A48E0F push es; ret 3_2_06A48E18
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A47353 push es; iretd 3_2_06A47354
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A41093 push es; ret 3_2_06A41094
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A410DD push es; ret 3_2_06A410E0
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A410D9 push es; ret 3_2_06A410DC
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A41045 push es; ret 3_2_06A41048
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A40040 push es; retf 3_2_06A40EC0
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06A41049 push es; ret 3_2_06A4108C
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06ED1528 push es; retn ED1Dh3_2_06ED2490
                  Source: C:\Users\user\Desktop\ORDER.exeCode function: 3_2_06ED1528 push es; retf 3_2_06ED25CC
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00425F61 push es; retf 10_2_004260DA
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00AD40C0 push eax; retf 0000h10_2_00AD40C2
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00AD4218 push ebp; retf 0000h10_2_00AD421A
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00AD4449 push edi; retf 0000h10_2_00AD444A
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00AD450F push edi; retf 0000h10_2_00AD4512
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADB148 pushfd ; retf 0000h10_2_00ADB14A
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADF3BD push es; iretd 10_2_00ADF3FE
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADF523 push es; iretd 10_2_00ADF526
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADF93C push es; iretd 10_2_00ADF93E
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADDEEF push cs; iretd 10_2_00ADDEFA
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 10_2_00ADDF02 push cs; iretd 10_2_00ADDF0A
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 13_2_009F5F61 push es; retf 13_2_009F60DA
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_00315F61 push es; retf 14_2_003160DA
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E7CC2 push dword ptr [ebx+ebp-75h]; iretd 14_2_067E7CCD
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 14_2_067E7DBD push FFFFFF8Bh; iretd 14_2_067E7DBF
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.74988411895
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.74988411895
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.74988411895
                  Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                  Source: C:\Users\user\Desktop\ORDER.exeFile created: C:\Users\user\AppData\Roaming\SpHLicuA.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'
                  Source: C:\Users\user\Desktop\ORDER.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\ORDER.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX