Play interactive tour

Edit tour

Analysis Report ORDER.exe

Overview

General Information

Sample Name:	ORDER.exe
Analysis ID:	321193
MD5:	bb942c948639f5c88fb33d5e4b7d7728
SHA1:	3cf9d798266aacc9bfdaf1c2d0a5eda2b6d069ea
SHA256:	5cfd185a582c4a6811966fb1585769fa8c17d67a969c72e1135f8de537d106d4
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

ORDER.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\ORDER.exe' MD5: BB942C948639F5C88FB33D5E4B7D7728)

schtasks.exe (PID: 6728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ORDER.exe (PID: 6876 cmdline: {path} MD5: BB942C948639F5C88FB33D5E4B7D7728)

kprUEGC.exe (PID: 5608 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: BB942C948639F5C88FB33D5E4B7D7728)

schtasks.exe (PID: 5856 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

kprUEGC.exe (PID: 4928 cmdline: {path} MD5: BB942C948639F5C88FB33D5E4B7D7728)

kprUEGC.exe (PID: 6300 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: BB942C948639F5C88FB33D5E4B7D7728)

schtasks.exe (PID: 6816 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

kprUEGC.exe (PID: 6648 cmdline: {path} MD5: BB942C948639F5C88FB33D5E4B7D7728)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "v8tgTH", "URL: ": "https://5PX8nQFyXZqeL8oi.com", "To: ": "weavingacc1@vasudeva.in", "ByHost: ": "mail.vasudeva.in:587", "Password: ": "UIewNIwYLjFr", "From: ": "weavingacc1@vasudeva.in"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.935335032.0000000003724000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.687253332.0000000003DD6000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.762865676.00000000027CC000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kprUEGC.exe PID: 6648	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kprUEGC.exe PID: 6648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kprUEGC.exe PID: 6300	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kprUEGC.exe PID: 6300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: kprUEGC.exe PID: 4928	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kprUEGC.exe PID: 4928	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ORDER.exe PID: 6876	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER.exe PID: 6876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ORDER.exe PID: 6128	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER.exe PID: 6128	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: kprUEGC.exe PID: 5608	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kprUEGC.exe PID: 5608	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.ORDER.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.2.kprUEGC.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.kprUEGC.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER.exe' , ParentImage: C:\Users\user\Desktop\ORDER.exe, ParentProcessId: 6128, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp', ProcessId: 6728

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: ORDER.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Avira: detection malicious, Label: TR/Kryptik.lesvd
Source: C:\Users\user\AppData\Roaming\SpHLicuA.exe	Avira: detection malicious, Label: TR/Kryptik.lesvd

Found malware configuration

Show sources

Source: ORDER.exe.6876.3.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "v8tgTH", "URL: ": "https://5PX8nQFyXZqeL8oi.com", "To: ": "weavingacc1@vasudeva.in", "ByHost: ": "mail.vasudeva.in:587", "Password: ": "UIewNIwYLjFr", "From: ": "weavingacc1@vasudeva.in"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SpHLicuA.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER.exe	Virustotal: Detection: 65%			Perma Link
Source: ORDER.exe	ReversingLabs: Detection: 66%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SpHLicuA.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: ORDER.exe

Joe Sandbox ML: detected

Source: 3.2.ORDER.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.2.kprUEGC.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 13.2.kprUEGC.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\Desktop\ORDER.exe	Code function: 4x nop then jmp 054F824Dh	0_2_054F81C7
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 4x nop then jmp 054F824Dh	0_2_054F81D8
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 4x nop then jmp 06F0465Fh	0_2_06F0388C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 4x nop then jmp 067E465Fh	14_2_067E388C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49766 -> 68.233.236.158:587

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 68.233.236.158:587

Source: Joe Sandbox View	IP Address: 54.235.142.93 54.235.142.93
Source: Joe Sandbox View	IP Address: 54.235.142.93 54.235.142.93
Source: Joe Sandbox View	IP Address: 68.233.236.158 68.233.236.158

Source: Joe Sandbox View

ASN Name: HVC-ASUS HVC-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 68.233.236.158:587

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://RKhkfz.com
Source: ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ORDER.exe, 00000003.00000002.935479787.0000000003788000.00000004.00000001.sdmp	String found in binary or memory: http://mail.vasudeva.in
Source: ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.762688179.0000000002781000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER.exe, 00000003.00000002.935479787.0000000003788000.00000004.00000001.sdmp	String found in binary or memory: http://vasudeva.in
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDER.exe, 00000000.00000002.685971628.00000000010E7000.00000004.00000040.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER.exe, 00000000.00000002.685971628.00000000010E7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ORDER.exe, 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp	String found in binary or memory: https://5PX8nQFyXZqeL8oi.com
Source: ORDER.exe, 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp	String found in binary or memory: https://5PX8nQFyXZqeL8oi.com4
Source: ORDER.exe, 00000003.00000003.899825885.00000000015B4000.00000004.00000001.sdmp	String found in binary or memory: https://5PX8nQFyXZqeL8oi.com853321935-2125563209-4053062332-1002_Classes
Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443

Source: ORDER.exe, 00000000.00000002.685708534.0000000000D4A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\ORDER.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: ORDER.exe

Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_0299C124	0_2_0299C124
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_0299E570	0_2_0299E570
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_0299E562	0_2_0299E562
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_054F81C7	0_2_054F81C7
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_054F81D8	0_2_054F81D8
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_054F4308	0_2_054F4308
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_054F4318	0_2_054F4318
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_054F5310	0_2_054F5310
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_06F0060B	0_2_06F0060B
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_06F01F52	0_2_06F01F52
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_06F0388C	0_2_06F0388C
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_06F01FC2	0_2_06F01FC2
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_06F0246F	0_2_06F0246F
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_034147A0	3_2_034147A0
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_034146B0	3_2_034146B0
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_0341D661	3_2_0341D661
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A42618	3_2_06A42618
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A4E7FC	3_2_06A4E7FC
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A4CDA8	3_2_06A4CDA8
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A4AB78	3_2_06A4AB78
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A42020	3_2_06A42020
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A48FF8	3_2_06A48FF8
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A4DC78	3_2_06A4DC78
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06ED3DA8	3_2_06ED3DA8
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06EDA278	3_2_06EDA278
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06ED1238	3_2_06ED1238
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06EDD200	3_2_06EDD200
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06ED6050	3_2_06ED6050
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_0708A228	3_2_0708A228
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_0708555C	3_2_0708555C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADC124	10_2_00ADC124
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADE561	10_2_00ADE561
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADE570	10_2_00ADE570
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 13_2_02CC47A0	13_2_02CC47A0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 13_2_02CC477F	13_2_02CC477F
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 13_2_02CCD820	13_2_02CCD820
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_009DC124	14_2_009DC124
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_009DE570	14_2_009DE570
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_009DE561	14_2_009DE561
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E060B	14_2_067E060B
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E1F52	14_2_067E1F52
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E388C	14_2_067E388C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E1FC2	14_2_067E1FC2
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E246F	14_2_067E246F

Source: ORDER.exe	Binary or memory string: OriginalFilename vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.685708534.0000000000D4A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.691400310.00000000073B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.691400310.00000000073B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXfhzKePuGoesTHRxzhWZClzMzrsKfKQYJFA.exe4 vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameND vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs ORDER.exe
Source: ORDER.exe, 00000000.00000002.691325272.0000000007350000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs ORDER.exe
Source: ORDER.exe	Binary or memory string: OriginalFilename vs ORDER.exe
Source: ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameXfhzKePuGoesTHRxzhWZClzMzrsKfKQYJFA.exe4 vs ORDER.exe
Source: ORDER.exe, 00000003.00000002.939417498.0000000005AE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs ORDER.exe
Source: ORDER.exe, 00000003.00000002.930745603.0000000000F52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameND vs ORDER.exe
Source: ORDER.exe, 00000003.00000002.939634582.0000000006500000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs ORDER.exe
Source: ORDER.exe, 00000003.00000002.930959168.0000000001358000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER.exe
Source: ORDER.exe, 00000003.00000002.940329021.00000000070A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs ORDER.exe
Source: ORDER.exe	Binary or memory string: OriginalFilenameND vs ORDER.exe

Source: ORDER.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SpHLicuA.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kprUEGC.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@18/11@4/3

Source: C:\Users\user\Desktop\ORDER.exe

File created: C:\Users\user\AppData\Roaming\SpHLicuA.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Mutant created: \Sessions\1\BaseNamedObjects\SPwQGUGuJuZKtgTucV
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_01

Source: C:\Users\user\Desktop\ORDER.exe

File created: C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp

Jump to behavior

Source: ORDER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\ORDER.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\ORDER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ORDER.exe	Virustotal: Detection: 65%
Source: ORDER.exe	ReversingLabs: Detection: 66%

Source: C:\Users\user\Desktop\ORDER.exe

File read: C:\Users\user\Desktop\ORDER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDER.exe 'C:\Users\user\Desktop\ORDER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\ORDER.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
Source: C:\Users\user\Desktop\ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process created: C:\Users\user\Desktop\ORDER.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp'
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}

Source: C:\Users\user\Desktop\ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ORDER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ORDER.exe	Code function: 0_2_00535F61 push es; retf	0_2_005360DA
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_00F55F61 push es; retf	3_2_00F560DA
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A45A68 push es; iretd	3_2_06A4657C
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A476BF push es; iretd	3_2_06A476FC
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A40EC1 push es; ret	3_2_06A41044
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A47E3F push edi; retn 0000h	3_2_06A47E41
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A48E0F push es; ret	3_2_06A48E18
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A47353 push es; iretd	3_2_06A47354
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A41093 push es; ret	3_2_06A41094
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A410DD push es; ret	3_2_06A410E0
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A410D9 push es; ret	3_2_06A410DC
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A41045 push es; ret	3_2_06A41048
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A40040 push es; retf	3_2_06A40EC0
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06A41049 push es; ret	3_2_06A4108C
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06ED1528 push es; retn ED1Dh	3_2_06ED2490
Source: C:\Users\user\Desktop\ORDER.exe	Code function: 3_2_06ED1528 push es; retf	3_2_06ED25CC
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00425F61 push es; retf	10_2_004260DA
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00AD40C0 push eax; retf 0000h	10_2_00AD40C2
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00AD4218 push ebp; retf 0000h	10_2_00AD421A
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00AD4449 push edi; retf 0000h	10_2_00AD444A
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00AD450F push edi; retf 0000h	10_2_00AD4512
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADB148 pushfd ; retf 0000h	10_2_00ADB14A
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADF3BD push es; iretd	10_2_00ADF3FE
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADF523 push es; iretd	10_2_00ADF526
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADF93C push es; iretd	10_2_00ADF93E
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADDEEF push cs; iretd	10_2_00ADDEFA
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 10_2_00ADDF02 push cs; iretd	10_2_00ADDF0A
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 13_2_009F5F61 push es; retf	13_2_009F60DA
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_00315F61 push es; retf	14_2_003160DA
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E7CC2 push dword ptr [ebx+ebp-75h]; iretd	14_2_067E7CCD
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_067E7DBD push FFFFFF8Bh; iretd	14_2_067E7DBF

Source: initial sample	Static PE information: section name: .text entropy: 7.74988411895
Source: initial sample	Static PE information: section name: .text entropy: 7.74988411895
Source: initial sample	Static PE information: section name: .text entropy: 7.74988411895

Source: C:\Users\user\Desktop\ORDER.exe	File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ORDER.exe	File created: C:\Users\user\AppData\Roaming\SpHLicuA.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'

Source: C:\Users\user\Desktop\ORDER.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\ORDER.exe

File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.762865676.00000000027CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6300, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER.exe PID: 6128, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 5608, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\ORDER.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\ORDER.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.762865676.00000000027CC000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.762865676.00000000027CC000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ORDER.exe	Window / User API: threadDelayed 537	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window / User API: threadDelayed 411	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window / User API: threadDelayed 364

Source: C:\Users\user\Desktop\ORDER.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 4248	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6644	Thread sleep count: 327 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6644	Thread sleep count: 537 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -59500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -87891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -82641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -81750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -53594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -78750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -52094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -51594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -76500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -75750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -75141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -73500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -48594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -72141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -47000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -46594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -67500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -66891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -63891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -62250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -41094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -39094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -38500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -36594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -34500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -47250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -45891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -44250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -42891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -41250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -35250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -58374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -56686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -56500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -56186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -55780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -55374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -54874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -54686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -54280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -53780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -52686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -52280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -51186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -50280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -49874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -49186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -48780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -47874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -45686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -45186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -44780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -44374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -44094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -43874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -43686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -64500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -42780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -42374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -41686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -41000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -40594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -40374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -59250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -34094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -33874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -32780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -32500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -32280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -32094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -31874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -31686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -30780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -30374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe TID: 6716	Thread sleep time: -30094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5652	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5424	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5432	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5432	Thread sleep count: 411 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5424	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6408	Thread sleep time: -41500s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6332	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6332	Thread sleep count: 364 > 30
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -55000s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -53906s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -53000s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -52812s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -50812s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -46406s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -43312s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -37406s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -36312s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -33906s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -33218s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -32812s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -31906s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -31718s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -30812s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -30406s >= -30000s
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6040	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\ORDER.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\ORDER.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Last function: Thread delayed

Source: kprUEGC.exe, 0000000E.00000002.788783060.0000000002AE7000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: ORDER.exe, 00000003.00000002.939634582.0000000006500000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: kprUEGC.exe, 0000000E.00000002.785681445.0000000002731000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: kprUEGC.exe, 0000000E.00000002.785681445.0000000002731000.00000004.00000001.sdmp	Binary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 0000000E.00000002.785681445.0000000002731000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ORDER.exe, 00000003.00000002.939634582.0000000006500000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ORDER.exe, 00000003.00000002.939634582.0000000006500000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: kprUEGC.exe, 0000000E.00000002.788783060.0000000002AE7000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: kprUEGC.exe, 0000000E.00000002.785681445.0000000002731000.00000004.00000001.sdmp	Binary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
Source: ORDER.exe, 00000003.00000002.939634582.0000000006500000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\ORDER.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe

Code function: 3_2_06EDBC48 LdrInitializeThunk,

3_2_06EDBC48

Source: C:\Users\user\Desktop\ORDER.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ORDER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ORDER.exe	Memory written: C:\Users\user\Desktop\ORDER.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Memory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\ORDER.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Process created: C:\Users\user\Desktop\ORDER.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp'
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}

Source: ORDER.exe, 00000003.00000002.932483317.0000000001D30000.00000002.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.933878617.00000000017B0000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933606890.0000000001670000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ORDER.exe, 00000003.00000002.932483317.0000000001D30000.00000002.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.933878617.00000000017B0000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933606890.0000000001670000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ORDER.exe, 00000003.00000002.932483317.0000000001D30000.00000002.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.933878617.00000000017B0000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933606890.0000000001670000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ORDER.exe, 00000003.00000002.932483317.0000000001D30000.00000002.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.933878617.00000000017B0000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933606890.0000000001670000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Users\user\Desktop\ORDER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Users\user\Desktop\ORDER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\ORDER.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.935335032.0000000003724000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687253332.0000000003DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6648, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6300, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER.exe PID: 6128, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 5608, type: MEMORY
Source: Yara match	File source: 3.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\ORDER.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\ORDER.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\ORDER.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\ORDER.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\ORDER.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6648, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER.exe PID: 6876, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.935335032.0000000003724000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687253332.0000000003DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6648, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6300, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 4928, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER.exe PID: 6128, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 5608, type: MEMORY
Source: Yara match	File source: 3.2.ORDER.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	File and Directory Permissions Modification1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Disable or Modify Tools1	Input Capture1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information3	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Network Configuration Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER.exe	65%	Virustotal		Browse
ORDER.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
ORDER.exe	100%	Avira	TR/Kryptik.lesvd
ORDER.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	100%	Avira	TR/Kryptik.lesvd
C:\Users\user\AppData\Roaming\SpHLicuA.exe	100%	Avira	TR/Kryptik.lesvd
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SpHLicuA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SpHLicuA.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.ORDER.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
17.2.kprUEGC.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
13.2.kprUEGC.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
vasudeva.in	0%	Virustotal		Browse
mail.vasudeva.in	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://5PX8nQFyXZqeL8oi.com853321935-2125563209-4053062332-1002_Classes	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://RKhkfz.com	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comiona	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
https://5PX8nQFyXZqeL8oi.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://mail.vasudeva.in	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://vasudeva.in	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://5PX8nQFyXZqeL8oi.com4	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	54.235.142.93	true	false		high
vasudeva.in	68.233.236.158	true	true	0%, Virustotal, Browse	unknown
mail.vasudeva.in	unknown	unknown	true	0%, Virustotal, Browse	unknown
api.ipify.org	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	ORDER.exe, 00000000.00000002.685971628.00000000010E7000.00000004.00000040.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://5PX8nQFyXZqeL8oi.com853321935-2125563209-4053062332-1002_Classes	ORDER.exe, 00000003.00000003.899825885.00000000015B4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://RKhkfz.com	kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comiona	ORDER.exe, 00000000.00000002.685971628.00000000010E7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://5PX8nQFyXZqeL8oi.com	ORDER.exe, 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.typography.netD	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org	ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp	false		high
http://fontfabrik.com	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.vasudeva.in	ORDER.exe, 00000003.00000002.935479787.0000000003788000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/	ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://vasudeva.in	ORDER.exe, 00000003.00000002.935479787.0000000003788000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
https://5PX8nQFyXZqeL8oi.com4	ORDER.exe, 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ORDER.exe, 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.762688179.0000000002781000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	ORDER.exe, 00000000.00000002.689402690.0000000005A00000.00000002.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.768443744.0000000005860000.00000002.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.794248791.00000000056E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	ORDER.exe, 00000003.00000002.934225034.000000000350B000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	ORDER.exe, 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	ORDER.exe, 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, ORDER.exe, 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, kprUEGC.exe, 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.235.142.93	unknown	United States		14618	AMAZON-AESUS	false
68.233.236.158	unknown	United States		29802	HVC-ASUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321193
Start date:	20.11.2020
Start time:	15:34:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@18/11@4/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 185 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 51.104.139.180, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:35:27	API Interceptor	783x Sleep call for process: ORDER.exe modified
15:35:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
15:36:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
15:36:02	API Interceptor	920x Sleep call for process: kprUEGC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.235.142.93	RVAgYSH2qh.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	BUILDING ORDER_PROPERTY SPECS.exe	Get hash	malicious	Browse	api.ipify.org/
	1118_8732615.doc	Get hash	malicious	Browse	api.ipify.org/
	XN33CLWH.EXE	Get hash	malicious	Browse	api.ipify.org/
	Al-Hbb_Doc-EUR_Pdf.exe	Get hash	malicious	Browse	api.ipify.org/
	YV2q4nAPVQ.exe	Get hash	malicious	Browse	api.ipify.org/
	1105_748543.doc	Get hash	malicious	Browse	api.ipify.org/
	174028911-035110-sanlccjavap0004-1.exe	Get hash	malicious	Browse	api.ipify.org/
	RFQ-NOV-2020.exe	Get hash	malicious	Browse	api.ipify.org/
	OZmn6gKEgi.exe	Get hash	malicious	Browse	api.ipify.org/
	WFDKJ4wsQ6.exe	Get hash	malicious	Browse	api.ipify.org/
68.233.236.158	TT COPY.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	New order 20001789.exe	Get hash	malicious	Browse
	ORD002344536.exe	Get hash	malicious	Browse
	ORD002344536.exe	Get hash	malicious	Browse
	bank slip.exe	Get hash	malicious	Browse
	PO#ZT20-09.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
elb097307-934924932.us-east-1.elb.amazonaws.com	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
	QKLQkaCe9M.exe	Get hash	malicious	Browse	50.19.252.36
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.243.161.145
	JlgyVmPWZr.exe	Get hash	malicious	Browse	174.129.214.20
	EIUOzWW2JX.exe	Get hash	malicious	Browse	174.129.214.20
	RVAgYSH2qh.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.225.66.103
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
	Purchase Order.exe	Get hash	malicious	Browse	54.225.66.103
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	23.21.126.66
	phy__1__31629__2649094674__1605642612.exe	Get hash	malicious	Browse	23.21.126.66
	BBVA confirming Aviso de pago Eur5780201120.exe	Get hash	malicious	Browse	54.204.14.42
	Ejgvvuwuu8.exe	Get hash	malicious	Browse	54.225.169.28
	PO N0.1500243224._PDF.exe	Get hash	malicious	Browse	54.204.14.42
	Avion Quotation Request.doc	Get hash	malicious	Browse	54.204.14.42
	zRHI9DJ0YKIPfBX.exe	Get hash	malicious	Browse	54.235.182.194
	{REQUEST FOR QUOTATION-local lot.1,2,3,4,6container..exe	Get hash	malicious	Browse	174.129.214.20

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	52.1.99.77
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
	https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#	Get hash	malicious	Browse	35.170.181.205
	BANK ACCOUNT INFO!.exe	Get hash	malicious	Browse	107.22.223.163
	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	https://rebrand.ly/zkp0y	Get hash	malicious	Browse	54.227.164.140
	AccountStatements.html	Get hash	malicious	Browse	18.209.113.162
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
	QKLQkaCe9M.exe	Get hash	malicious	Browse	50.19.252.36
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.243.161.145
	JlgyVmPWZr.exe	Get hash	malicious	Browse	174.129.214.20
	EIUOzWW2JX.exe	Get hash	malicious	Browse	174.129.214.20
	RVAgYSH2qh.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.225.66.103
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	52.71.133.130
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	23.21.126.66
	phy__1__31629__2649094674__1605642612.exe	Get hash	malicious	Browse	23.21.126.66
	BBVA confirming Aviso de pago Eur5780201120.exe	Get hash	malicious	Browse	50.19.252.36
HVC-ASUS	a7UZzCVWKO.exe	Get hash	malicious	Browse	194.126.175.2
	sAPuJAvs52.exe	Get hash	malicious	Browse	194.126.175.2
	JlgyVmPWZr.exe	Get hash	malicious	Browse	194.126.175.2
	EIUOzWW2JX.exe	Get hash	malicious	Browse	194.126.175.2
	yCyc4rN0u8.exe	Get hash	malicious	Browse	194.126.175.2
	9cXAnovmQX.exe	Get hash	malicious	Browse	194.126.175.2
	T2HDck1Mmy.exe	Get hash	malicious	Browse	194.126.175.2
	chib(1).exe	Get hash	malicious	Browse	194.126.175.2
	dede.exe	Get hash	malicious	Browse	194.126.175.2
	obi(1).exe	Get hash	malicious	Browse	194.126.175.2
	frc(1).exe	Get hash	malicious	Browse	194.126.175.2
	s5Hgh2z9mq.exe	Get hash	malicious	Browse	194.126.175.2
	7PTbHgCUy6.exe	Get hash	malicious	Browse	194.126.175.2
	DjP9Ogzsz8.exe	Get hash	malicious	Browse	194.126.175.2
	NYm3MN6z8D.exe	Get hash	malicious	Browse	194.126.175.2
	sX1UqYq8cS.exe	Get hash	malicious	Browse	194.126.175.2
	noaVP0hNm2.exe	Get hash	malicious	Browse	194.126.175.2
	Company profile and products.exe	Get hash	malicious	Browse	103.28.70.59
	TT COPY.exe	Get hash	malicious	Browse	68.233.236.158
	baf6b9fcec491619b45c1dd7db56ad3d.exe	Get hash	malicious	Browse	104.156.57.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.235.142.93
	QKLQkaCe9M.exe	Get hash	malicious	Browse	54.235.142.93
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.235.142.93
	JlgyVmPWZr.exe	Get hash	malicious	Browse	54.235.142.93
	EIUOzWW2JX.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.142.93
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.235.142.93
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	54.235.142.93
	PO N0.1500243224._PDF.exe	Get hash	malicious	Browse	54.235.142.93
	zRHI9DJ0YKIPfBX.exe	Get hash	malicious	Browse	54.235.142.93
	chib(1).exe	Get hash	malicious	Browse	54.235.142.93
	dede.exe	Get hash	malicious	Browse	54.235.142.93
	obi(1).exe	Get hash	malicious	Browse	54.235.142.93
	frc(1).exe	Get hash	malicious	Browse	54.235.142.93
	knitted yarn documents.exe	Get hash	malicious	Browse	54.235.142.93
	ano.exe	Get hash	malicious	Browse	54.235.142.93
	kiiDjfpu2x.exe	Get hash	malicious	Browse	54.235.142.93
	s5Hgh2z9mq.exe	Get hash	malicious	Browse	54.235.142.93
	0hgHwEkIWY.exe	Get hash	malicious	Browse	54.235.142.93

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER.exe.log Download File
Process:	C:\Users\user\Desktop\ORDER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.345637324625647
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
MD5:	6C42AAF2F2FABAD2BAB70543AE48CEDB
SHA1:	8552031F83C078FE1C035191A32BA43261A63DA9
SHA-256:	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
SHA-512:	014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.345637324625647
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
MD5:	6C42AAF2F2FABAD2BAB70543AE48CEDB
SHA1:	8552031F83C078FE1C035191A32BA43261A63DA9
SHA-256:	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
SHA-512:	014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp871F.tmp Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.174942804027994
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG7tn:cbhK79lNQR/rydbz9I3YODOLNdq3m
MD5:	4053FC2B2E317FEBE143C11AD6E6F358
SHA1:	DC51CAEB255C2B5B980BDF25571F19DAFDC70807
SHA-256:	83FD4AE9CEE6A842DCF3CC995E74DA61AC503DCDC5AC60F78F38F18F544A8124
SHA-512:	A709BADFDBDE6EEB537670A7947DD436758D01FECBDF2343588D6EBAEF5124BCCE486B53A76C5BDCE413DA80D1B934B0B1EA33A7C1F80E6F94AA9A9110030326
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.174942804027994
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG7tn:cbhK79lNQR/rydbz9I3YODOLNdq3m
MD5:	4053FC2B2E317FEBE143C11AD6E6F358
SHA1:	DC51CAEB255C2B5B980BDF25571F19DAFDC70807
SHA-256:	83FD4AE9CEE6A842DCF3CC995E74DA61AC503DCDC5AC60F78F38F18F544A8124
SHA-512:	A709BADFDBDE6EEB537670A7947DD436758D01FECBDF2343588D6EBAEF5124BCCE486B53A76C5BDCE413DA80D1B934B0B1EA33A7C1F80E6F94AA9A9110030326
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp Download File
Process:	C:\Users\user\Desktop\ORDER.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.174942804027994
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG7tn:cbhK79lNQR/rydbz9I3YODOLNdq3m
MD5:	4053FC2B2E317FEBE143C11AD6E6F358
SHA1:	DC51CAEB255C2B5B980BDF25571F19DAFDC70807
SHA-256:	83FD4AE9CEE6A842DCF3CC995E74DA61AC503DCDC5AC60F78F38F18F544A8124
SHA-512:	A709BADFDBDE6EEB537670A7947DD436758D01FECBDF2343588D6EBAEF5124BCCE486B53A76C5BDCE413DA80D1B934B0B1EA33A7C1F80E6F94AA9A9110030326
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\SpHLicuA.exe Download File
Process:	C:\Users\user\Desktop\ORDER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	467968
Entropy (8bit):	7.74232130024318
Encrypted:	false
SSDEEP:	12288:Tt8LFePtVDcvShCStzi4bZ2krC5F0uCC:J84PLUT8JDBM
MD5:	BB942C948639F5C88FB33D5E4B7D7728
SHA1:	3CF9D798266AACC9BFDAF1C2D0A5EDA2B6D069EA
SHA-256:	5CFD185A582C4A6811966FB1585769FA8C17D67A969C72E1135F8DE537D106D4
SHA-512:	386C643398F8BB3D6F46319964EF320B9F79003765BE184699DEE8582D974F658A47F4D72D04280F376D9F3B5637E9876A1183B6350B2350D372E234C09FA719
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._..............0..............8... ...@....@.. ....................................@.................................X8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H........Y...C......o...................................................B.(........}........0..!.........{....r...p.\|....(....(.....+......0..<.............6...%...o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+....(....b..t..

C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Download File
Process:	C:\Users\user\Desktop\ORDER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	467968
Entropy (8bit):	7.74232130024318
Encrypted:	false
SSDEEP:	12288:Tt8LFePtVDcvShCStzi4bZ2krC5F0uCC:J84PLUT8JDBM
MD5:	BB942C948639F5C88FB33D5E4B7D7728
SHA1:	3CF9D798266AACC9BFDAF1C2D0A5EDA2B6D069EA
SHA-256:	5CFD185A582C4A6811966FB1585769FA8C17D67A969C72E1135F8DE537D106D4
SHA-512:	386C643398F8BB3D6F46319964EF320B9F79003765BE184699DEE8582D974F658A47F4D72D04280F376D9F3B5637E9876A1183B6350B2350D372E234C09FA719
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._..............0..............8... ...@....@.. ....................................@.................................X8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H........Y...C......o...................................................B.(........}........0..!.........{....r...p.\|....(....(.....+......0..<.............6...%...o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+....(....b..t..

C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ORDER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Preview:	..127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.74232130024318
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ORDER.exe
File size:	467968
MD5:	bb942c948639f5c88fb33d5e4b7d7728
SHA1:	3cf9d798266aacc9bfdaf1c2d0a5eda2b6d069ea
SHA256:	5cfd185a582c4a6811966fb1585769fa8c17d67a969c72e1135f8de537d106d4
SHA512:	386c643398f8bb3d6f46319964ef320b9f79003765be184699dee8582d974f658a47f4d72d04280f376d9f3b5637e9876a1183b6350b2350d372e234c09fa719
SSDEEP:	12288:Tt8LFePtVDcvShCStzi4bZ2krC5F0uCC:J84PLUT8JDBM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0..............8... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4738aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB59CF1 [Wed Nov 18 22:15:13 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73858	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x74000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x76000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x718b0	0x71a00	False	0.858554214796	PGP symmetric key encrypted data - Plaintext or unencrypted data	7.74988411895	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x74000	0x5ec	0x600	False	0.434895833333	data	4.19215691018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x76000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x74090	0x35c	data
RT_MANIFEST	0x743fc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2017 - 2020
Assembly Version	1.0.0.0
InternalName	N.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	Monopoly Simulator
ProductVersion	1.0.0.0
FileDescription	Monopoly Simulator
OriginalFilename	N.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/20/20-15:37:14.072742	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49766	587	192.168.2.4	68.233.236.158

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 15:37:00.175952911 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.278529882 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.278748989 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.363682032 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.466259003 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.466310978 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.466362000 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.466402054 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.466428995 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.466450930 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.466489077 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.467485905 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.515758991 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.618624926 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:00.662503958 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:00.964855909 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:01.073878050 CET	443	49765	54.235.142.93	192.168.2.4
Nov 20, 2020 15:37:01.115556002 CET	49765	443	192.168.2.4	54.235.142.93
Nov 20, 2020 15:37:12.682447910 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:12.826040983 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:12.826261044 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:13.155530930 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:13.156238079 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:13.299855947 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:13.301517963 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:13.445301056 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:13.445930004 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:13.609587908 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:13.610651970 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:13.754324913 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:13.768420935 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:13.921685934 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:13.922374964 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:14.066087961 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:14.066122055 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:14.072741985 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:14.072946072 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:14.073107004 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:14.073297977 CET	49766	587	192.168.2.4	68.233.236.158
Nov 20, 2020 15:37:14.216444969 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:14.216491938 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:14.218482018 CET	587	49766	68.233.236.158	192.168.2.4
Nov 20, 2020 15:37:14.272945881 CET	49766	587	192.168.2.4	68.233.236.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 15:35:12.914658070 CET	52991	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:12.941885948 CET	53	52991	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:14.616111040 CET	53700	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:14.643402100 CET	53	53700	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:15.490892887 CET	51726	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:15.518047094 CET	53	51726	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:16.164829969 CET	56794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:16.191960096 CET	53	56794	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:17.527013063 CET	56534	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:17.554275036 CET	53	56534	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:18.575421095 CET	56627	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:18.602494001 CET	53	56627	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:19.795495033 CET	56621	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:19.822566032 CET	53	56621	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:20.542124987 CET	63116	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:20.569293976 CET	53	63116	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:21.194839001 CET	64078	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:21.221848011 CET	53	64078	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:21.877516031 CET	64801	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:21.904726982 CET	53	64801	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:22.630449057 CET	61721	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:22.666033983 CET	53	61721	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:23.313229084 CET	51255	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:23.348787069 CET	53	51255	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:37.904980898 CET	61522	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:37.932054996 CET	53	61522	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:56.967084885 CET	52337	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:57.010198116 CET	53	52337	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:57.842834949 CET	55046	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:57.869908094 CET	53	55046	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:58.396017075 CET	49612	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:58.461549997 CET	53	49612	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:58.770025015 CET	49285	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:58.805774927 CET	53	49285	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:59.287940025 CET	50601	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:59.315059900 CET	53	50601	8.8.8.8	192.168.2.4
Nov 20, 2020 15:35:59.802416086 CET	60875	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:35:59.838213921 CET	53	60875	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:00.278412104 CET	56448	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:00.305439949 CET	53	56448	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:01.149400949 CET	59172	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:01.176583052 CET	53	59172	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:01.721554041 CET	62420	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:01.757261038 CET	53	62420	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:02.574343920 CET	60579	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:02.609684944 CET	53	60579	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:02.961649895 CET	50183	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:02.997490883 CET	53	50183	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:16.322583914 CET	61531	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:16.359389067 CET	53	61531	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:48.597218037 CET	49228	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:48.624423027 CET	53	49228	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:50.580859900 CET	59794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:50.607964039 CET	53	59794	8.8.8.8	192.168.2.4
Nov 20, 2020 15:36:59.958941936 CET	55916	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:36:59.986032963 CET	53	55916	8.8.8.8	192.168.2.4
Nov 20, 2020 15:37:00.023001909 CET	52752	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:37:00.050034046 CET	53	52752	8.8.8.8	192.168.2.4
Nov 20, 2020 15:37:12.547585011 CET	60542	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:37:12.617464066 CET	53	60542	8.8.8.8	192.168.2.4
Nov 20, 2020 15:37:12.643642902 CET	60689	53	192.168.2.4	8.8.8.8
Nov 20, 2020 15:37:12.679339886 CET	53	60689	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 15:36:59.958941936 CET	192.168.2.4	8.8.8.8	0xcd07	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.023001909 CET	192.168.2.4	8.8.8.8	0xfe5d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:12.547585011 CET	192.168.2.4	8.8.8.8	0x1baa	Standard query (0)	mail.vasudeva.in	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:12.643642902 CET	192.168.2.4	8.8.8.8	0x76f8	Standard query (0)	mail.vasudeva.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.161.145	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 20, 2020 15:36:59.986032963 CET	8.8.8.8	192.168.2.4	0xcd07	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.153.147	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.204.14.42	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.161.145	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:00.050034046 CET	8.8.8.8	192.168.2.4	0xfe5d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:12.617464066 CET	8.8.8.8	192.168.2.4	0x1baa	No error (0)	mail.vasudeva.in	vasudeva.in		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 15:37:12.617464066 CET	8.8.8.8	192.168.2.4	0x1baa	No error (0)	vasudeva.in		68.233.236.158	A (IP address)	IN (0x0001)
Nov 20, 2020 15:37:12.679339886 CET	8.8.8.8	192.168.2.4	0x76f8	No error (0)	mail.vasudeva.in	vasudeva.in		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 15:37:12.679339886 CET	8.8.8.8	192.168.2.4	0x76f8	No error (0)	vasudeva.in		68.233.236.158	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 20, 2020 15:37:00.467485905 CET	54.235.142.93	443	192.168.2.4	49765	CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010	Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Jan 19 01:00:00 CET 2010	Tue Jan 19 00:59:59 CET 2038

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 20, 2020 15:37:13.155530930 CET	587	49766	68.233.236.158	192.168.2.4	220-cherry.herosite.pro ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 09:37:13 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 20, 2020 15:37:13.156238079 CET	49766	587	192.168.2.4	68.233.236.158	EHLO 468325
Nov 20, 2020 15:37:13.299855947 CET	587	49766	68.233.236.158	192.168.2.4	250-cherry.herosite.pro Hello 468325 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 20, 2020 15:37:13.301517963 CET	49766	587	192.168.2.4	68.233.236.158	AUTH login d2VhdmluZ2FjYzFAdmFzdWRldmEuaW4=
Nov 20, 2020 15:37:13.445301056 CET	587	49766	68.233.236.158	192.168.2.4	334 UGFzc3dvcmQ6
Nov 20, 2020 15:37:13.609587908 CET	587	49766	68.233.236.158	192.168.2.4	235 Authentication succeeded
Nov 20, 2020 15:37:13.610651970 CET	49766	587	192.168.2.4	68.233.236.158	MAIL FROM:<weavingacc1@vasudeva.in>
Nov 20, 2020 15:37:13.754324913 CET	587	49766	68.233.236.158	192.168.2.4	250 OK
Nov 20, 2020 15:37:13.768420935 CET	49766	587	192.168.2.4	68.233.236.158	RCPT TO:<weavingacc1@vasudeva.in>
Nov 20, 2020 15:37:13.921685934 CET	587	49766	68.233.236.158	192.168.2.4	250 Accepted
Nov 20, 2020 15:37:13.922374964 CET	49766	587	192.168.2.4	68.233.236.158	DATA
Nov 20, 2020 15:37:14.066122055 CET	587	49766	68.233.236.158	192.168.2.4	354 Enter message, ending with "." on a line by itself
Nov 20, 2020 15:37:14.073297977 CET	49766	587	192.168.2.4	68.233.236.158	.
Nov 20, 2020 15:37:14.218482018 CET	587	49766	68.233.236.158	192.168.2.4	250 OK id=1kg7XG-0034uj-05

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ORDER.exe PID: 6128 Parent PID: 5984

General

Start time:	15:35:20
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\ORDER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ORDER.exe'
Imagebase:	0x530000
File size:	467968 bytes
MD5 hash:	BB942C948639F5C88FB33D5E4B7D7728
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.687010442.0000000003C56000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.686353136.0000000002BFC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.687253332.0000000003DD6000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6728 Parent PID: 6128

General

Start time:	15:35:28
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp'
Imagebase:	0x380000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6840 Parent PID: 6728

General

Start time:	15:35:29
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ORDER.exe PID: 6876 Parent PID: 6128

General

Start time:	15:35:29
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\ORDER.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xf50000
File size:	467968 bytes
MD5 hash:	BB942C948639F5C88FB33D5E4B7D7728
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.930660789.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.935335032.0000000003724000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.934322832.0000000003526000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.934090598.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: kprUEGC.exe PID: 5608 Parent PID: 3424

General

Start time:	15:36:00
Start date:	20/11/2020
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Imagebase:	0x420000
File size:	467968 bytes
MD5 hash:	BB942C948639F5C88FB33D5E4B7D7728
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.765004740.0000000003825000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.762865676.00000000027CC000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5856 Parent PID: 5608

General

Start time:	15:36:04
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmp871F.tmp'
Imagebase:	0x380000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5956 Parent PID: 5856

General

Start time:	15:36:05
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: kprUEGC.exe PID: 4928 Parent PID: 5608

General

Start time:	15:36:05
Start date:	20/11/2020
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x9f0000
File size:	467968 bytes
MD5 hash:	BB942C948639F5C88FB33D5E4B7D7728
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.930696018.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.934897870.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: kprUEGC.exe PID: 6300 Parent PID: 3424

General

Start time:	15:36:08
Start date:	20/11/2020
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Imagebase:	0x310000
File size:	467968 bytes
MD5 hash:	BB942C948639F5C88FB33D5E4B7D7728
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.786151703.000000000277C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.789175486.00000000037D4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6816 Parent PID: 6300

General

Start time:	15:36:14
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\SpHLicuA' /XML 'C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp'
Imagebase:	0x380000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6544 Parent PID: 6816

General

Start time:	15:36:14
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: kprUEGC.exe PID: 6648 Parent PID: 6300

General

Start time:	15:36:15
Start date:	20/11/2020
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x760000
File size:	467968 bytes
MD5 hash:	BB942C948639F5C88FB33D5E4B7D7728
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.933961322.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.930556707.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ORDER.exe PID: 6128 Parent PID: 5984 ORDER.exeCOMMON

Executed Functions

Function 06F0388C, Relevance: 5.8, Strings: 4, Instructions: 806COMMON

Download Yara Rule

Strings

z, xrefs: 06F03EFC
5, xrefs: 06F03A0E
0:5, xrefs: 06F0408C
(, xrefs: 06F042B6

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID:
String ID: ($0:5$5$z
API String ID: 0-2325186624
Opcode ID: 67afa2e30cf11a97e0ff597b27e4003f2c40bbf9676e7d501003eac6bd6babad
Instruction ID: bc82d91b9b15f4fd1282d52923d6ecf422e713782d6381272b408471ddfab948
Opcode Fuzzy Hash: 67afa2e30cf11a97e0ff597b27e4003f2c40bbf9676e7d501003eac6bd6babad
Instruction Fuzzy Hash: 8E82E276D4522ACFEBA4DF64C844BEDBBB1AB8A304F1091E9C109A7290DB745EC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 06F01F52, Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

?, xrefs: 06F0224B
y, xrefs: 06F02082

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID:
String ID: ?$y
API String ID: 0-138892161
Opcode ID: c8caaf42da38146b01d1cc17bd52e3e8eb307e7297d6e27fc2236174e21b187d
Instruction ID: 5e6b6e40c8930c83122be968532bd31773573a2306c7fa07434fdd0931eaedeb
Opcode Fuzzy Hash: c8caaf42da38146b01d1cc17bd52e3e8eb307e7297d6e27fc2236174e21b187d
Instruction Fuzzy Hash: 1ED15B75C19218CFFBA4CFA5C4887EDBBB1BB4A305F1061AAC009A32D1DB744A85DF65

Uniqueness

Uniqueness Score: -1.00%

Function 06F01FC2, Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

?, xrefs: 06F0224B
y, xrefs: 06F02082

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID:
String ID: ?$y
API String ID: 0-138892161
Opcode ID: 0a724aab7d92482ba6c73ee0ba11d96ffd04e190f1a63dc4d39b20c060259a1a
Instruction ID: cae8e627412d0553f76ea742003b9d06d25215a59141dfe7fb41a71ea8b98b25
Opcode Fuzzy Hash: 0a724aab7d92482ba6c73ee0ba11d96ffd04e190f1a63dc4d39b20c060259a1a
Instruction Fuzzy Hash: 58C16E75D19218CFFBA4CFA5C8987ECBBB1BB4A305F1051AAC009A72D1DB340A85DF64

Uniqueness

Uniqueness Score: -1.00%

Function 06F0246F, Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

?, xrefs: 06F0224B
y, xrefs: 06F02082

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID:
String ID: ?$y
API String ID: 0-138892161
Opcode ID: a40f848fc1ab207ecdd754d665aa91088a6b8cf38660a35d09940d5d31cab12a
Instruction ID: c0f46ddc77f8a7b8ceb1bbde7b631fb13f2b19ba3f5d2189357687319f4e9553
Opcode Fuzzy Hash: a40f848fc1ab207ecdd754d665aa91088a6b8cf38660a35d09940d5d31cab12a
Instruction Fuzzy Hash: 6CB16A75D15218CFFBA4CFA5D8887ECBBB1BB4A305F1091AAD109A32D1DB344A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 06F0060B, Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

=, xrefs: 06F00662
=, xrefs: 06F00353

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID:
String ID: =$=
API String ID: 0-2054292070
Opcode ID: a23abc5cf96f06fa38698d245159fccc07dc918be14cfd4595c51b3f88de2f2f
Instruction ID: c5497432403e83c291dc70198f25cf5aa5ad91015ee2b99b2c054a1405b04a8a
Opcode Fuzzy Hash: a23abc5cf96f06fa38698d245159fccc07dc918be14cfd4595c51b3f88de2f2f
Instruction Fuzzy Hash: F9A16975D08259CFEB50CFA8C4807EDBBB6BB4A310F14C219D459AB391DB349981DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0299B681, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0299B6F0
GetCurrentThread.KERNEL32 ref: 0299B72D
GetCurrentProcess.KERNEL32 ref: 0299B76A
GetCurrentThreadId.KERNEL32 ref: 0299B7C3

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 47f4815048229d26345155ef01987218cf76ba7fe6a84736d48ee15437d704df
Instruction ID: a2319a236272ef9b8870518cfdf4cfe2eb49dd60004acb13e661f3bc839f6ed7
Opcode Fuzzy Hash: 47f4815048229d26345155ef01987218cf76ba7fe6a84736d48ee15437d704df
Instruction Fuzzy Hash: 025167B09042488FDB50CFAAD6887EEBBF1AF49318F248599E019A7760C7385844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0299B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0299B6F0
GetCurrentThread.KERNEL32 ref: 0299B72D
GetCurrentProcess.KERNEL32 ref: 0299B76A
GetCurrentThreadId.KERNEL32 ref: 0299B7C3

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f2c1b71a40fa2c344e2bc82ddcc6e6d902277db41ffceddc70a63c57b0491e9b
Instruction ID: f04db1e4b0dd7b400987ad8c4f526502108f84d0c89494ae5c2da3467eb4bf46
Opcode Fuzzy Hash: f2c1b71a40fa2c344e2bc82ddcc6e6d902277db41ffceddc70a63c57b0491e9b
Instruction Fuzzy Hash: 5C5156B0D002498FDB10CFAAD6887EEBBF1AF49318F208599E419A7750D7796844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06F0472C, Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 06F0488B

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ebbf51ca83ee2ab67d1bba15eb7e008e0bd4104a61448eefe2d68ca895d6c570
Instruction ID: d78e7835ba7ee4e8bebc1c3ee65b8aac4f30f9093860fb691e2e3d8fccd9b525
Opcode Fuzzy Hash: ebbf51ca83ee2ab67d1bba15eb7e008e0bd4104a61448eefe2d68ca895d6c570
Instruction Fuzzy Hash: 9D510871D00329DFDB54CF95C980BDDBBB2BF48314F1485AAE508A7250DB719A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F04738, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 06F0488B

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ba1748a72ad8df74da416430ca43c2d14f371ab20d273a56960981a1d085e882
Instruction ID: 2f75f3fb682c85d61e11e4a12c06651b1f4802bab72606462586111160d0a44a
Opcode Fuzzy Hash: ba1748a72ad8df74da416430ca43c2d14f371ab20d273a56960981a1d085e882
Instruction Fuzzy Hash: F251F671D00329DFDB50CF95C980BDDBBB6BF48314F1485AAE908A7250DB719A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0299FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0299FE0A

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: be207b783701acf612946b841ea771dc7daf97f07060fd6d2feeba9ba2b30fb1
Instruction ID: 4e0585e707d34572983f1940ad552e620fd2db39d7223a7ddda8ffb076849be1
Opcode Fuzzy Hash: be207b783701acf612946b841ea771dc7daf97f07060fd6d2feeba9ba2b30fb1
Instruction Fuzzy Hash: 9E4191B1D003499FDF14CF9AC984ADEFBB5BF48314F24812AE819AB211D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0299FCEE, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0299FE0A

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6345abdb09fdbda008a10e50d1e397640be7b38b728878e9b7981d7afba5086b
Instruction ID: 5e67d928823e6c852f83434febc306860a31d8106094d10d937e143514be27d1
Opcode Fuzzy Hash: 6345abdb09fdbda008a10e50d1e397640be7b38b728878e9b7981d7afba5086b
Instruction Fuzzy Hash: 1051AEB1D003499FDF14CFA9D980ADEFBB5BF48324F24812AE819AB251D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F01B2B, Relevance: 1.6, APIs: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F05725

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cbd896b47178c4468ffe9f5e1720120f5d561556683a4e98bd2359446744c74f
Instruction ID: 81b9c54d69c62fef02e708da486993b507c5693e62987de03c4962d3940888b2
Opcode Fuzzy Hash: cbd896b47178c4468ffe9f5e1720120f5d561556683a4e98bd2359446744c74f
Instruction Fuzzy Hash: 1B41A27180E3D45FCB139B689860ADABFB49F1B214F0944DBD094DB693C238594CCBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02995364, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02995421

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 336d86414b3dfce7ada23594606739ac7efcbc542b6761d4198486ae369f272f
Instruction ID: 88bac6884851df99eb5c8119fa8457e34b288896592b526e66d0042d811e7fe0
Opcode Fuzzy Hash: 336d86414b3dfce7ada23594606739ac7efcbc542b6761d4198486ae369f272f
Instruction Fuzzy Hash: 2B41F271C04618CBDF14DFA9C984BDEBBB5BF49318F118069D408AB251DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02993DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02995421

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5d2ceff5567154bf093c892058b7651752d31d034b9b0b780bbd7f774f762162
Instruction ID: c6dfd89431712a752948987c0b7510428cd04702f1ff74b2fe2e0719f265e6d1
Opcode Fuzzy Hash: 5d2ceff5567154bf093c892058b7651752d31d034b9b0b780bbd7f774f762162
Instruction Fuzzy Hash: B6410271C04218CBDF24DFA9C984BCEBBB5BF49318F51846AD409BB250DBB5694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F04CE1, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F04D75

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0bf04c96ca5f8f9f6159d562fcefaf113e39da74741a08f19f018a4492a55277
Instruction ID: 530a75a2667209519ef9070ccdf6a645201fe9da440587127649c9dff3c8ce6f
Opcode Fuzzy Hash: 0bf04c96ca5f8f9f6159d562fcefaf113e39da74741a08f19f018a4492a55277
Instruction Fuzzy Hash: C72116B1901359DFDB10CF9AD885BDEBBF4FB48310F00842AE918A7750D778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F04CE8, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F04D75

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 177e5595c0efc86830c4b0108a6fc950b08ea8da427499401b64546ac7645e1d
Instruction ID: c17d88288fd57ff94c49a9decad7939afd7530104cd0ef71655e6df5028342f5
Opcode Fuzzy Hash: 177e5595c0efc86830c4b0108a6fc950b08ea8da427499401b64546ac7645e1d
Instruction Fuzzy Hash: 4021E4B1901259DFDB10CF9AD985BDEBBF4FB48324F00842AE918A7250D778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0299B8B2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0299B93F

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3410e55d326a848132600d8758f3f238363c1aab0292f69500038233ce9fd546
Instruction ID: 84586f103a0cf14c954c9e22f203db7b19c8f4d103ecb8c1240e27a149ecf1c4
Opcode Fuzzy Hash: 3410e55d326a848132600d8758f3f238363c1aab0292f69500038233ce9fd546
Instruction Fuzzy Hash: E32103B59002489FDB10CFA9D584AEEBFF4EB58324F14801AE814A7310D378A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F04B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F04BEF

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 72905a356da59b3a17ba4999238e503eebd7ee714120423ec60dbe0620599b0a
Instruction ID: 37eef34b27a0666c710715fb8ca2c78b99026eed1b65b8e77e06df1c2a914390
Opcode Fuzzy Hash: 72905a356da59b3a17ba4999238e503eebd7ee714120423ec60dbe0620599b0a
Instruction Fuzzy Hash: 4421F3B1905259EFCB10CF9AD984BDEBBF4FB48320F14842AE918A7250D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0299B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0299B93F

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: edc4d6d6a0e170970d94ab587f755db683d0fc78d061e62e94a6d12c3005175f
Instruction ID: 3be28b7d2c2bd7332814e199d89d2c4889c9b7fa70a0e0a54aaa14df94418988
Opcode Fuzzy Hash: edc4d6d6a0e170970d94ab587f755db683d0fc78d061e62e94a6d12c3005175f
Instruction Fuzzy Hash: 1D21D5B59012599FDF10CF9AD984BDEBBF8FB48324F14841AE914A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04AA9, Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 06F04B27

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a323ed6a244a71ddac8b260dcddd6bdb386f93118e7584286ce65aec0f1d12fc
Instruction ID: 081057448853c3230b0daf600b1bba152f63a707556ba57e23f9fc16d98d8e98
Opcode Fuzzy Hash: a323ed6a244a71ddac8b260dcddd6bdb386f93118e7584286ce65aec0f1d12fc
Instruction Fuzzy Hash: A9211AB1D006199FDB10CF9AD985BEEFBF4BB48624F04812AD518B7740D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04B70, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F04BEF

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f0aee4282251f2b97333c9d1fec9d0c42e85d96cceeb5159f588e70b220de25b
Instruction ID: bebb096b59fc368aca15865ba0cfca6a19e66ec8a84cdc158fc44837fd9614c1
Opcode Fuzzy Hash: f0aee4282251f2b97333c9d1fec9d0c42e85d96cceeb5159f588e70b220de25b
Instruction Fuzzy Hash: CD21EFB1901259DFDB10CF9AD984BDEBBF4FB48320F10842AE918A7250D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04AB0, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 06F04B27

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f8d19a5d9096a1fc4aefb09c8755cd37fd5cfd5078b77be4978d36401de011be
Instruction ID: 0d7cd424af2079591b505851feb884c4c27f8f9b31ad2751cd40bfcb1f3dfe2c
Opcode Fuzzy Hash: f8d19a5d9096a1fc4aefb09c8755cd37fd5cfd5078b77be4978d36401de011be
Instruction Fuzzy Hash: 972114B1D002199FDB00CF9AD985BEEFBF8BB48224F04812AD518B7640D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02999478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02999951,00000800,00000000,00000000), ref: 02999B62

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4d16ad0a6cc380b0ef4813d3e579a91f663ad648ea2d99f8a09a792f6ba5fdfc
Instruction ID: 4d638a2616ed0c18fb6d4ea8de99f84261e443d7c47769190756b75b45e5d472
Opcode Fuzzy Hash: 4d16ad0a6cc380b0ef4813d3e579a91f663ad648ea2d99f8a09a792f6ba5fdfc
Instruction Fuzzy Hash: 8C1103B29042499FDF10CF9AC484BEEFBF8EB58324F10842ED815A7600C778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02999AF0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02999951,00000800,00000000,00000000), ref: 02999B62

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 926f554975e63ce2fee8a6e1b0dbeae262af71d393c7af0b83192a133099a60a
Instruction ID: d36aec0f07ee1122272343ad4ccb9449d81a7f0cc80bd02428e8048ec7301df6
Opcode Fuzzy Hash: 926f554975e63ce2fee8a6e1b0dbeae262af71d393c7af0b83192a133099a60a
Instruction Fuzzy Hash: B81114B6D002488FDB10CFAAD484BEEFBF4EB98324F14852ED415A7600C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04C38, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F04CAB

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9845c15ce94d924f93d430acaeffaaeb05d4070d892a9163a3616d60657de1c6
Instruction ID: d6b231d980caddb95ebfcdbdbcf7b904217878fc16787302f2e90d1389dc81df
Opcode Fuzzy Hash: 9845c15ce94d924f93d430acaeffaaeb05d4070d892a9163a3616d60657de1c6
Instruction Fuzzy Hash: 8D1102B5804248DFCB20CF9AD985BDEBBF4FB48324F108419E528A7650C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02999868, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 029998D6

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: afc4643b4d27b3cd1b4ea146f7cbc4a7697d03d3d7da0e5f91a65c3e57c81b19
Instruction ID: 0088fa36f35d2baafb8ba42121127ae5406de21f4f59099411ccbc7efd9e4438
Opcode Fuzzy Hash: afc4643b4d27b3cd1b4ea146f7cbc4a7697d03d3d7da0e5f91a65c3e57c81b19
Instruction Fuzzy Hash: 5D11DDB1D002498FDB10CF9AD484ADEBBF4AB88324F14856ED459A7600C379A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04C40, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F04CAB

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 087687d7d6d67a696a0624fd6a261ef75bcc80a6b5380cceaa67ed6d74568f14
Instruction ID: cc9506541c31b22f91ef50e8845f5d5f9b650f853dac91f908343daefdf2d84a
Opcode Fuzzy Hash: 087687d7d6d67a696a0624fd6a261ef75bcc80a6b5380cceaa67ed6d74568f14
Instruction Fuzzy Hash: A81122B1800248DFCB10CF9AD984BDEBBF4FB88324F108419E528A7650C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F01BB0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F05725

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 989895ceab0007cf9d8b8826b4c1de578046f75611d5bb89444b9b965034fd4a
Instruction ID: 6a8801f1993da97b8a42f13a4f6ec416f4d204e9e5fa48e49d182128b9688b26
Opcode Fuzzy Hash: 989895ceab0007cf9d8b8826b4c1de578046f75611d5bb89444b9b965034fd4a
Instruction Fuzzy Hash: 591103B5800348DFDB60CF9AD984BEEBBF8EB58324F108459E914A7640C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02999870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 029998D6

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0806499fbfb204c9028fd45263803ee319232b51891ebac302896431ce658458
Instruction ID: 8b484515daabb34543e3bd476302f918ab9426aad68144397107d12ba5db2c17
Opcode Fuzzy Hash: 0806499fbfb204c9028fd45263803ee319232b51891ebac302896431ce658458
Instruction Fuzzy Hash: C511DFB6D002498FEB10DF9AD544BDEFBF8EB89324F14842ED819A7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F056C0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F05725

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a821990e74466408a2f1958ab7e8d72587fa8a4aa8d9d69be0e3c587bf591908
Instruction ID: 8214c22d05d5203c838ebe19c40056ea0883f2682f02aa17db89c36b8e753a27
Opcode Fuzzy Hash: a821990e74466408a2f1958ab7e8d72587fa8a4aa8d9d69be0e3c587bf591908
Instruction Fuzzy Hash: A31115B5800348DFDB10DF99D984BDEBBF8FB58324F108419E958A7600C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0299FF38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0299FF9D

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 651a6836fa25e8ce7ce2de2f052486c668cc5c5e9aea0cb7c0532d7faf36b60d
Instruction ID: faae278b90d899617b1488bad3c894b5b46763e92f2d1adf34fe455c9a2f1c15
Opcode Fuzzy Hash: 651a6836fa25e8ce7ce2de2f052486c668cc5c5e9aea0cb7c0532d7faf36b60d
Instruction Fuzzy Hash: 001133B58002489FDB10CF99D584BDEFBF8EB49324F10841AD858A7640C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04DB8, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06F04E1F

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 066cc3a22a4ec3b334901994a1891bb117623874db4936aa8128394ab94ab481
Instruction ID: 5c205e8ce89db534b32c5187aad5dec97b064f89beaab8f5b35afcd34ea7958c
Opcode Fuzzy Hash: 066cc3a22a4ec3b334901994a1891bb117623874db4936aa8128394ab94ab481
Instruction Fuzzy Hash: B41112B5804249CFDB10DF9AD988BDEBBF4EB48324F10842AD528A7740D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0299FF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0299FF9D

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e4e5c3d1cd5927b067018941f1c8202bdea17664ae013ac7f12c7baea5653dde
Instruction ID: 83a7147bd122a3a7d1a73bda9a97f442e371f017b3ee36862ba15e24de45164a
Opcode Fuzzy Hash: e4e5c3d1cd5927b067018941f1c8202bdea17664ae013ac7f12c7baea5653dde
Instruction Fuzzy Hash: 661112B58002489FDB10CF9AD584BDFFBF8EB48324F10841AE818A7740C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F04DC0, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06F04E1F

Memory Dump Source

Source File: 00000000.00000002.691202313.0000000006F00000.00000040.00000001.sdmp, Offset: 06F00000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4b483a090d646fb33b37afcb8a168bba992d4e928ea544e70583e59ba537f198
Instruction ID: 00f93f7e93d8d46dc0fba7467f0b006fd5b4801095ca6fb3ead0cff114a2b5e9
Opcode Fuzzy Hash: 4b483a090d646fb33b37afcb8a168bba992d4e928ea544e70583e59ba537f198
Instruction Fuzzy Hash: 7E111EB1804249CFDB10CF9AD988BDEFBF8EB48324F10841AD518A7640C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685500342.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2479c14b2334cb6d62697d08db355d1628ae49749efc2fe4d28f4dfd6a78dc
Instruction ID: e135c2f457b742d1188ef76a93b887f95818e3811980468709aa62929d1f0fff
Opcode Fuzzy Hash: 1c2479c14b2334cb6d62697d08db355d1628ae49749efc2fe4d28f4dfd6a78dc
Instruction Fuzzy Hash: F92148B1504205DFDB00CF00D8C0B66BB65FB9D328F20C569E80B0B60AC336E846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685533713.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70eba79d903a85995f8aa3c31990667d5fa007c49e991b7ff121228983256e23
Instruction ID: a4186724ba52218938f9036dd06d4214014c7f14a0f07919787f68bdbd213d93
Opcode Fuzzy Hash: 70eba79d903a85995f8aa3c31990667d5fa007c49e991b7ff121228983256e23
Instruction Fuzzy Hash: 04210775608240DFCB14EF14E9C4B66BB65FB88314F24C5A9D80A4B346D73AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685533713.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b686e68227190403c5d856c9df2b0ab6c2cb5d3a4be1d4be2b826f6bdc2f667
Instruction ID: a71552567bbcccbf623f26ac9c3f192102696fc7b2c5ac98e28fca5aa4889b9f
Opcode Fuzzy Hash: 6b686e68227190403c5d856c9df2b0ab6c2cb5d3a4be1d4be2b826f6bdc2f667
Instruction Fuzzy Hash: DD210771504280EFDB05CF14D9C0B66BB65FB88314F24C5BDE80A4B246D736DC46CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685533713.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ff68355bbd0ae2b8681f98aafc237835aed02cee9769b187ff025f4d152b16
Instruction ID: 1d3f9a96b9ec8759b7cd68ba64bd057324bf878abea3f533c6bfbe22eebbab64
Opcode Fuzzy Hash: 46ff68355bbd0ae2b8681f98aafc237835aed02cee9769b187ff025f4d152b16
Instruction Fuzzy Hash: 5E218B755093C08FCB02CF20D994B55BF71EB46314F28C5EAD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685500342.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 6e796b71778d907ce246f52edb726bc9e9ee4f0eb1e5844fd3de905b4d13a7b5
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 1011E676404280DFDF11CF10D5C4B16BF71FB99324F24C6A9D80A4B616C33AE956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685533713.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: c9a24bfe5fdf0ad4163bb7c33bf668c90feab17eb2755101035280e0032325e5
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: FE118875904280DFCB12CF10D5C4B55BBB1FB84324F28C6AAD84A4B656D33AD94ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD781, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685500342.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dff9d46d96fb7ae97411c4e0fd944341edf675c21b8d7938f67692c9798382
Instruction ID: 0c2bb4a5f8b6de7f95d43a161263e212a16deade8bd2ae109f4df84fae8fac95
Opcode Fuzzy Hash: f4dff9d46d96fb7ae97411c4e0fd944341edf675c21b8d7938f67692c9798382
Instruction Fuzzy Hash: 8901F771008385AAE7184E16DCC0766BBD8EF46738F188459ED179AA4AC7789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD780, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.685500342.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c048964ffd8c5d9970d1836737677f06a4fa827c70d203925d6ccbc9ddbf41b
Instruction ID: 21e004beea7a720f48b87bf3132ba989e0f8f1489b70efb6d643c93f7835dce2
Opcode Fuzzy Hash: 2c048964ffd8c5d9970d1836737677f06a4fa827c70d203925d6ccbc9ddbf41b
Instruction Fuzzy Hash: 0AF0C2714082849BEB248E16CCC4B62FFE8EB51738F18C45AED194B686C3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0299E570, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a841fbe9b0f5eb6bd189741aa215fe2743f681a203da68af5fd8a7b523d1bf
Instruction ID: 52c3e35757dc4d58a3eb018223ab371eafb2e37495bc47b78eb39bd9ba7b8678
Opcode Fuzzy Hash: 32a841fbe9b0f5eb6bd189741aa215fe2743f681a203da68af5fd8a7b523d1bf
Instruction Fuzzy Hash: A712B5F1C917468AD330CF65E99C2893BA1B7443A8BD44B08D2B11BAD1D7BE117ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 054F4308, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.689345851.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bef02b5de056da547dd62e1b0df709b84dbf03721894f0bd0c37db81955b76f
Instruction ID: d1cd2fb94f1ff0a5190aa2e249cc5d07ef619f497e849e6f5fc911850d8cbc47
Opcode Fuzzy Hash: 1bef02b5de056da547dd62e1b0df709b84dbf03721894f0bd0c37db81955b76f
Instruction Fuzzy Hash: 98D1D531C20B5A8ACB10EB64D9916DDB771FFDA204F508B9AE14937225FF706AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0299C124, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7045b60ade26ce469da8ffb1fac5719cd37cf0e7368d95de04c183f9da8d0621
Instruction ID: cafcac6054a2a671d46e9f98b219d940b76be23a422816d19fc71d4781af4414
Opcode Fuzzy Hash: 7045b60ade26ce469da8ffb1fac5719cd37cf0e7368d95de04c183f9da8d0621
Instruction Fuzzy Hash: CAA18E32E002098FCF15DFA9C8845DEB7B6FF89314B15856AE805BB261EB31E955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054F4318, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.689345851.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c301e2b5d4eb7fac87ce6a77c9df273c1c6dbd67b3814bce8de5ba4b3137b576
Instruction ID: 33bda7add7afce405b4483344965c5840e1c45ad2c501b7042f0848d8d0354cf
Opcode Fuzzy Hash: c301e2b5d4eb7fac87ce6a77c9df273c1c6dbd67b3814bce8de5ba4b3137b576
Instruction Fuzzy Hash: 2AD1B431C20B5A8ACB10EB64D9916DDB771EFDA204F508B9AE14937225FF706AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0299E562, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.686002081.0000000002990000.00000040.00000001.sdmp, Offset: 02990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f208cd41199a28ac16e69aa89f122c1de6cee667778a682218e44287a46c544
Instruction ID: 059f63b77557b843fc95034850e001adf996b213bfa373d30891f7d045a08958
Opcode Fuzzy Hash: 0f208cd41199a28ac16e69aa89f122c1de6cee667778a682218e44287a46c544
Instruction Fuzzy Hash: 25C119F1C917468AD720CF65E89C2893B71BB843A8FD44B18D2616BAD1D7BE107ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 054F5310, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.689345851.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7245622f59a87b5f77b0e074d444a64510ca123235c89b0ab13a10dba0716042
Instruction ID: 9167a4d9c2ff58321d4b02d734370c05345165da07a83ec488977f61d9a68b34
Opcode Fuzzy Hash: 7245622f59a87b5f77b0e074d444a64510ca123235c89b0ab13a10dba0716042
Instruction Fuzzy Hash: A4710070E042288FCB04CFA9D584AEEFBF2FF89300F14916AD509AB245D7349982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054F81C7, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.689345851.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1890fe0cbfb12077b62351772371375f5ac3791a7caa90cc2233ed37b7d7e6a3
Instruction ID: 101776e22cb106ce22d0ac834c74bc40060ecefe079b6d448ce54144af433de3
Opcode Fuzzy Hash: 1890fe0cbfb12077b62351772371375f5ac3791a7caa90cc2233ed37b7d7e6a3
Instruction Fuzzy Hash: 6B11B471E056489BEB08CFABD9402DEFAF3AFC9300F04D46AD914BA229EA3045458F65

Uniqueness

Uniqueness Score: -1.00%

Function 054F81D8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.689345851.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7789e48cc049126150255ce97c71fae6f31126645123010c19950dbfdc908df
Instruction ID: 610fc2c1561867071fca77ea1e1d8b239754fd1b60f3ccec45f972bbb15c9358
Opcode Fuzzy Hash: b7789e48cc049126150255ce97c71fae6f31126645123010c19950dbfdc908df
Instruction Fuzzy Hash: 1311A771E046089BDB08CFABD9402EEFAF7AFC9300F04D03AD918BA215EB3055418F64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ORDER.exe PID: 6876 Parent PID: 6128 ORDER.exeCOMMON

Executed Functions

Function 06EDBC48, Relevance: 2.1, APIs: 1, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eef24a3c4fb2b24d9206470ed9fb4c37fd89f16ed5ad2d6841b471abb826a2d
Instruction ID: 115a9f05a76ff29fc9f59901a5634f1abc2259c05a41a06eb973efe48692f455
Opcode Fuzzy Hash: 7eef24a3c4fb2b24d9206470ed9fb4c37fd89f16ed5ad2d6841b471abb826a2d
Instruction Fuzzy Hash: 04229B34B003198FDB54EBB4D4546AEB7F6AF89648F208469D406DB3A4EF39DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0708A228, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.940287034.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c001a37b6313b43b4f719324b5d32880dad7acc2a8225c1090fc477e602684
Instruction ID: 19cb5fb0296306ca94e1e165f956d4795fc1e130f864053855375916a651c9ff
Opcode Fuzzy Hash: 12c001a37b6313b43b4f719324b5d32880dad7acc2a8225c1090fc477e602684
Instruction Fuzzy Hash: 54F19DB4A00209CFDB54EFA5C884B9DBBF1BF88304F15C66AE445AF765DB74A845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06A4E7FC, Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae1d2134dc0773ed73d2777daaa14352f06004acb72d62d3765a59ed188ce2b
Instruction ID: 45d1b0ccdfe52ebc1bbc3a3d4d487eb4de739647a720eefed342f8da3ae724a0
Opcode Fuzzy Hash: 9ae1d2134dc0773ed73d2777daaa14352f06004acb72d62d3765a59ed188ce2b
Instruction Fuzzy Hash: 1D42AF70E002488FEB64EB68C8547ADB7B2EFC5304F24C4A9D519AF396DB749C85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06A4AB78, Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcdda3a55056450efb3c74672a84bedf9413cd772a47ebf445a2992ff0d98da
Instruction ID: 07e9ef874e6682f3beef75b33cc7619b40c57d780455812e10391f36a263b443
Opcode Fuzzy Hash: 2bcdda3a55056450efb3c74672a84bedf9413cd772a47ebf445a2992ff0d98da
Instruction Fuzzy Hash: C0F1B131B402058FCB54FBB8D8456AEBBB2EF89305F248469E505DB395DB39DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A42618, Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee3832b266807a9269f8c0dbc7eb7eb6ed7bf7c455403ef49258bc4e342317a
Instruction ID: 75b206c7979df376657b4116d9e59b33b3a957d1e29e5a05f5515849e2298772
Opcode Fuzzy Hash: bee3832b266807a9269f8c0dbc7eb7eb6ed7bf7c455403ef49258bc4e342317a
Instruction Fuzzy Hash: CB023A30A00119DFDB54EFA9C984BADBBF6FF89304F158469F815AB261D731DA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A42020, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2659ad72b5e437b650b03d26e2e89aa4d620664cb9b0d35f823089733dcd66
Instruction ID: fe524591e688cce2e8afd839d71abdaf652c64c0b9536797e6f3d0f0119d5425
Opcode Fuzzy Hash: ec2659ad72b5e437b650b03d26e2e89aa4d620664cb9b0d35f823089733dcd66
Instruction Fuzzy Hash: 35F18E74A002199FDB54EFA4C890BAEBBF2AFC8304F148469E915EB395DF349D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A4CDA8, Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3aa6fc285c041ddf30a23c11d27a7c06fda8f44e3075a67be517e626cc917c4
Instruction ID: ec8c46fe7ff0ee7e692ef9944495ac18f5431b0c1842ffb14badfdd5942891cb
Opcode Fuzzy Hash: c3aa6fc285c041ddf30a23c11d27a7c06fda8f44e3075a67be517e626cc917c4
Instruction Fuzzy Hash: BFF16834A002159FCB54FFB8C8886ADBBB2EF88314F258569D415AF395DB75DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03416B1F, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 03416BB0
GetCurrentThread.KERNEL32 ref: 03416BED
GetCurrentProcess.KERNEL32 ref: 03416C2A
GetCurrentThreadId.KERNEL32 ref: 03416C83

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7b08f81c5b7b0b1bb4996ac4579b9082d8225ca3fa1d96226b3e0d812920d93f
Instruction ID: 19d6908440c3c42fcbc326ace96cb878cdb298d1e6b1047589a15798b23f4d46
Opcode Fuzzy Hash: 7b08f81c5b7b0b1bb4996ac4579b9082d8225ca3fa1d96226b3e0d812920d93f
Instruction Fuzzy Hash: 47519AB09057888FDB14CFAAC9487DEBFF0EF49314F14809AD458AB3A1D7389844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03416B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 03416BB0
GetCurrentThread.KERNEL32 ref: 03416BED
GetCurrentProcess.KERNEL32 ref: 03416C2A
GetCurrentThreadId.KERNEL32 ref: 03416C83

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: be04a171dc7d608b2fcdcb37eaf45a240fa70103a16501fd28eb36d71f6d0725
Instruction ID: 20f7cdcf5503cc08778a58571628e9744cfc9f9a4279e3b033ba426720856762
Opcode Fuzzy Hash: be04a171dc7d608b2fcdcb37eaf45a240fa70103a16501fd28eb36d71f6d0725
Instruction Fuzzy Hash: 225145B4904A48CFDB14CFAAD548BDEBBF0EF98314F24805AE419AB350D778A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06EDDAC0, Relevance: 1.7, APIs: 1, Instructions: 175libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06EDDB7F

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a0e7dae4d1bbd4508c32ca11dd00e4cc5933f00034b53539701c84ce824a4c6
Instruction ID: 3767086fdf6ac3048b6928418853beffe12eb86cd7a6007e7baa8f9b5f2ab946
Opcode Fuzzy Hash: 9a0e7dae4d1bbd4508c32ca11dd00e4cc5933f00034b53539701c84ce824a4c6
Instruction Fuzzy Hash: B851CF35B003059FDB44EFB4DC44AEEB7B5AF88208F24856AD4169F295EB34DC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06EDDB20, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06EDDB7F

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c705ffd682aee5f26f753495d7ac7ae8701e025ad7cd8d9302e70077416bf5d
Instruction ID: fd333754052ff09980a541d6529db6d8f53f10301fabb8b629056a99453e5ece
Opcode Fuzzy Hash: 1c705ffd682aee5f26f753495d7ac7ae8701e025ad7cd8d9302e70077416bf5d
Instruction Fuzzy Hash: 5D516D35A003059BCB44FFB4DC84AEEB7B6AF88204F14892AD5169F395EF74D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03415184, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 034152A2

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 067253aaad8a4d063a748b050b8b68ff24df847d2b13874d7d948d8eeb15a6bf
Instruction ID: 02cb3a4e65650affdccb5f36fd7dca601b004c0a92b5a3bf34d5b804b428a6cf
Opcode Fuzzy Hash: 067253aaad8a4d063a748b050b8b68ff24df847d2b13874d7d948d8eeb15a6bf
Instruction Fuzzy Hash: A751BFB1D006499FDB14CFA9C884ADEFBB5FF89314F24822AE819AB210D7759845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06ED7B80, Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 06ED7C94

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7f7fdfd6af0c948cd856ad37c647ce928319542ca6b7c9bed81f49320e653604
Instruction ID: 0dfdabeefb996399160e2cb847f2993324da1a2d9b611669bf79af13621c25bd
Opcode Fuzzy Hash: 7f7fdfd6af0c948cd856ad37c647ce928319542ca6b7c9bed81f49320e653604
Instruction Fuzzy Hash: 9A4167B0E053488FDB00CFA9C544B8EFBF1AF89314F29C16AE408AB345D7789846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03415190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 034152A2

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3ff8f8b246435ee4f46ee4f6ea5ad9a8b147ca57408f91aaab16abad5e13e8fc
Instruction ID: a594dd1ce9b9919771fe32803d90cd0ea4ec322a7544cc75c63ddee9dfb46537
Opcode Fuzzy Hash: 3ff8f8b246435ee4f46ee4f6ea5ad9a8b147ca57408f91aaab16abad5e13e8fc
Instruction Fuzzy Hash: 2641B0B1D107499FDB14CF99C884ADEFBB5FF89314F24812AE819AB210D774A845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06ED7E48, Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 06ED7F51

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0c8af9f779936bcf9ab0d84869bdcc52ead6880518f068aa2ecfb63d1c94e78c
Instruction ID: 33b6a3f53761a5ee7375792ab2c37a6566af272bfd7767704906f923d2368a81
Opcode Fuzzy Hash: 0c8af9f779936bcf9ab0d84869bdcc52ead6880518f068aa2ecfb63d1c94e78c
Instruction Fuzzy Hash: 5F412AB1D04358DFDB20CFA9C884A9EBBF5BF48314F25802AE818AB350D7749906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03416964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 03417D01

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e3686b289464aa6d1134ee74906bebafa4da42a244bb914bb250ece54fdf82a7
Instruction ID: 695455ca70d0dea0d6ca757dbd33b8fd2d0fe7402e62595ce848687812aeae22
Opcode Fuzzy Hash: e3686b289464aa6d1134ee74906bebafa4da42a244bb914bb250ece54fdf82a7
Instruction Fuzzy Hash: 34411AB5A00609DFDB14CF99C448BAABBF5FF88314F14845AD519AB321D774A841CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06ED74E8, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 06ED7F51

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: de53985fcdf065a2d77dd9f91b95a04f3f886d207d985814c7f218402710c230
Instruction ID: 21c7ca548d7a8d1cab0ac0cb9f6070a3573960880e08f569b0e2350cd25e8470
Opcode Fuzzy Hash: de53985fcdf065a2d77dd9f91b95a04f3f886d207d985814c7f218402710c230
Instruction Fuzzy Hash: 0031C1B1D043589FCB20CF99C884ADEBBF5BF48314F24802AE819AB350D7749906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06ED74DC, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 06ED7C94

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5ad1cc0d6ba556b77b8eb517ee61b92b658335cd2597ad17740eab8f594ec888
Instruction ID: 2d9d4216db84f86a5d708107219e60bb2afdbbb3fabdafcfc2ac4f399e8ccfd2
Opcode Fuzzy Hash: 5ad1cc0d6ba556b77b8eb517ee61b92b658335cd2597ad17740eab8f594ec888
Instruction Fuzzy Hash: 9D31FFB0D053499FDB10CF99C584A8EFBF5AF48308F28816AE809AB351C7759986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03416D72, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03416DFF

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8779d81cb54783c17fbfa5bb5d246dce948681ab1f5fd63abbb797652c62935
Instruction ID: b1c1f8a38776b9cbe7357f899b1ec1c9685f95070b0f39dacf9fd7b32ec3bec1
Opcode Fuzzy Hash: d8779d81cb54783c17fbfa5bb5d246dce948681ab1f5fd63abbb797652c62935
Instruction Fuzzy Hash: 6921F5B5D00248DFDB10CFA9D884AEEBBF4FB48324F14811AE814A7710D778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03416D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03416DFF

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3c4f67c8834e8f7b4f4d0a3ab9c6aca1ccc38534ea5fc0f8a43dc714b2af6f0b
Instruction ID: 8f09abd9d19884f5eadf13306108c87e07e04d6e665d261d0e21ea4908412229
Opcode Fuzzy Hash: 3c4f67c8834e8f7b4f4d0a3ab9c6aca1ccc38534ea5fc0f8a43dc714b2af6f0b
Instruction Fuzzy Hash: 9B21D5B5D00248AFDB10CF99D884ADEFBF4FB48324F14851AE914A7710D778A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03412F30, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 03414216

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bc661a40659e07e026ee18077a1c46279aaee18c6511fbd3e77bd58dca1daff4
Instruction ID: 1b2fd1133da562ed0d97061bb1821851901f64c8154bc2639989533599744cc6
Opcode Fuzzy Hash: bc661a40659e07e026ee18077a1c46279aaee18c6511fbd3e77bd58dca1daff4
Instruction Fuzzy Hash: 6F2144B1C046488FCB10DFAAD844ADEFBF4EF48324F04886AD415ABB00C378A446CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0341BDE9, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0341BE72

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 02d6963739fbe1e1f711347d4dd2ab5dcba0f5b8dc608c754f568b0d2f966a63
Instruction ID: 0a82b48ae2591a8eb1c219dda190c0c25f4a26b09dd8c968bf2222345e606e97
Opcode Fuzzy Hash: 02d6963739fbe1e1f711347d4dd2ab5dcba0f5b8dc608c754f568b0d2f966a63
Instruction Fuzzy Hash: 53218871904B458FEB60DFA9C9447DEBBF4EB48324F14842AC404EBB41C3386914CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070866C8, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,070866A9,00000800), ref: 0708673A

Memory Dump Source

Source File: 00000003.00000002.940287034.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c92c8fc948aff808f4984116b93654c3e172331c0b14d3d1f05cefc9d2515fcd
Instruction ID: bd8433fc78b680cf55ea3634d8393c2fc9ff4bca148f83b89e210d77bc621ad2
Opcode Fuzzy Hash: c92c8fc948aff808f4984116b93654c3e172331c0b14d3d1f05cefc9d2515fcd
Instruction Fuzzy Hash: 652114B69002099FDB10CF9AD844BDEFBF4EB98324F10852AE455A7700C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070856C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,070866A9,00000800), ref: 0708673A

Memory Dump Source

Source File: 00000003.00000002.940287034.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d113ecad3fb9c34dbe856e56e83fa3abef33661b86576ba0d6d09f37472b6b46
Instruction ID: 768181126d032f14292c7d50f171ab54c744cf0ff0ca7121dcb71a3612675fbd
Opcode Fuzzy Hash: d113ecad3fb9c34dbe856e56e83fa3abef33661b86576ba0d6d09f37472b6b46
Instruction Fuzzy Hash: F61142B69002099FDB10DF9AC844BDEFBF4EB88320F00852AE415B7700C375A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0341BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0341BE72

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e96f413e90c46ca69351626bc03c954d7bf3edff0a217d97f37f09c2a4b45096
Instruction ID: 66f099c0d0550a38a9819a5fcdf235f6d6fe543347255fd429cddc593a471965
Opcode Fuzzy Hash: e96f413e90c46ca69351626bc03c954d7bf3edff0a217d97f37f09c2a4b45096
Instruction Fuzzy Hash: C21167B1904B098FDB60DFAAC94879EBBF4EB49324F14802AD505EBB05C7386954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06EDC220, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06EDC261

Memory Dump Source

Source File: 00000003.00000002.940146037.0000000006ED0000.00000040.00000001.sdmp, Offset: 06ED0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a6c1cbf59c1743136e278b6b705316264c0de1d1495d93f7e12f69ff6a0501b
Instruction ID: d25f56b39720d86c2b84fe0721aa3464519d65f218060025e1b140ef97ba37e9
Opcode Fuzzy Hash: 7a6c1cbf59c1743136e278b6b705316264c0de1d1495d93f7e12f69ff6a0501b
Instruction Fuzzy Hash: C3112E30E11318DFDB14EFB4D494AADBBB5FF48744F208829D401AB254CB759846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 034141AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 03414216

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3d3e7156ab7502a269f06f8b1f9a405f0b372884feaee5406554fefe2e882fab
Instruction ID: c943ab543a51d13530fab1250d17221541ae333fbccd574d933dd38c9cb913df
Opcode Fuzzy Hash: 3d3e7156ab7502a269f06f8b1f9a405f0b372884feaee5406554fefe2e882fab
Instruction Fuzzy Hash: 331102B6C006498FDB10CF9AD844BDEFBF4EB88324F14852AD419AB700C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03412F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 03414216

Memory Dump Source

Source File: 00000003.00000002.933403788.0000000003410000.00000040.00000001.sdmp, Offset: 03410000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6aa8739b2b0097b960d19bdf2d7d838be4c7874d14a3f8383de60e7fec283009
Instruction ID: 7bc74fc4909ddf3eda79b8d8f7f775f478e9baa0a91399b5f27675766981e7fc
Opcode Fuzzy Hash: 6aa8739b2b0097b960d19bdf2d7d838be4c7874d14a3f8383de60e7fec283009
Instruction Fuzzy Hash: 7F11EFB58046498BDB10CF9AD844BDEFBF4EB88324F14852AD829AB700C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070890D0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0708A065

Memory Dump Source

Source File: 00000003.00000002.940287034.0000000007080000.00000040.00000001.sdmp, Offset: 07080000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 618fa8772a5479a6c876af537787dd3e59f5edf0e520ddf3aef9f792397563da
Instruction ID: 735ed7396e2175b79b250848ce567d63bb14876f011224f5132034e93efee31d
Opcode Fuzzy Hash: 618fa8772a5479a6c876af537787dd3e59f5edf0e520ddf3aef9f792397563da
Instruction Fuzzy Hash: E41145B19043488FCB60DFA9D444BDEBBF4EB49324F10851AD469E7B00C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A4BD92, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

P@4k, xrefs: 06A4BE17

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID: P@4k
API String ID: 0-4221113945
Opcode ID: 10acfa850f1d694f7a1fd301a68a0ff4850ca75adc8b929dfa859eee2eaf25ec
Instruction ID: 1dd4cf3ed55cd3f63f5508d0d7fae11a7e00da66ffe8fd4c2b381c69d13f300a
Opcode Fuzzy Hash: 10acfa850f1d694f7a1fd301a68a0ff4850ca75adc8b929dfa859eee2eaf25ec
Instruction Fuzzy Hash: EF318C35B002058FCB58AF74D8652AEB7F3AF8D245B148569D4069B354DF34DC46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06A4BDA0, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@4k, xrefs: 06A4BE17

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID: P@4k
API String ID: 0-4221113945
Opcode ID: 2e0cb4144516fd2008a89e752243afb53ef76f74fbc1f8bef4f547d808f70d1a
Instruction ID: 49de621729882cbe5043fcc5b42be54a94e5281977d4c4207ed1b4c173679e80
Opcode Fuzzy Hash: 2e0cb4144516fd2008a89e752243afb53ef76f74fbc1f8bef4f547d808f70d1a
Instruction Fuzzy Hash: F1318A35B002048BCB58BB7498652AEB6F7AFCD244B148469D406EB394DF34DC46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06A4C040, Relevance: .9, Instructions: 942COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11552f09e076a39b3400b83f720a6009033b450336cf69c7333261d6a2a0976f
Instruction ID: aba1b0602614be0bc05b703f23c4c78e8ebe88b114eed897e98dd879c912e808
Opcode Fuzzy Hash: 11552f09e076a39b3400b83f720a6009033b450336cf69c7333261d6a2a0976f
Instruction Fuzzy Hash: E9825934A02204CFDB64EFA4C8886ADB7B2EF89365F148469E40ADF751DB39DC85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06A43E28, Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f413d2d24fa3aba14b858bef2f852ea2ff84fea533915a80d414ec86cdc9cb2
Instruction ID: bc229ba359d0f414ea19489bb72e79473e3a5c40e4f0c7d1fa6c3ec87beec2ca
Opcode Fuzzy Hash: 4f413d2d24fa3aba14b858bef2f852ea2ff84fea533915a80d414ec86cdc9cb2
Instruction Fuzzy Hash: 71726234A042189FEB14EFA4C850BAEB7B3EF88304F1084AAD6166B7A4DF355D45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06A45A68, Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2747b56416c56131013df793cfb7ba02b31836301dccc189c89121f7ed2f987
Instruction ID: 6276d7219e41ae8c1f6a79dab56b52c13f1534f209a39d96ce9ffd513c1e03e2
Opcode Fuzzy Hash: b2747b56416c56131013df793cfb7ba02b31836301dccc189c89121f7ed2f987
Instruction Fuzzy Hash: 3CD1A431E151049FC7A4FBA88C806DF7BE79FDD654F588125E4229B2A6D73098038FE1

Uniqueness

Uniqueness Score: -1.00%

Function 06A432D8, Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a3e2fd5c5168435b82454fe1544ed621c82a4a82188d7bcca7e91bb02eb88f
Instruction ID: 4beb21f694ec51f26eaec94587fbc03f0299bfedf612dfe59b8c14dccef96e85
Opcode Fuzzy Hash: 39a3e2fd5c5168435b82454fe1544ed621c82a4a82188d7bcca7e91bb02eb88f
Instruction Fuzzy Hash: 79124A31A00109DFCF94EF6AC984AAEBBB2FF88354F158554E456DB2A1C734EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A42D50, Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0f590d2035c22a5c613b398e868652b1dca6c9d7f42a6051a1b7c288832cd0
Instruction ID: aaaaa98f5b6852d200714a7e811fab6567758c3a649bbf6bbcdadde7791af016
Opcode Fuzzy Hash: ed0f590d2035c22a5c613b398e868652b1dca6c9d7f42a6051a1b7c288832cd0
Instruction Fuzzy Hash: 4B126A30A002089FCF64EF6AD884A9EBBF2FF89314F158559E8159B761DB70ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A4B8AF, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293cfa9750c04ad51a3016400c605dedeeccda0b1d7c9bb6db22191a5378723c
Instruction ID: 7cf6ca8619cfbb10aec8ac01089f334db6404d1d60cfd6ad3dcaa2aa66a46c0b
Opcode Fuzzy Hash: 293cfa9750c04ad51a3016400c605dedeeccda0b1d7c9bb6db22191a5378723c
Instruction Fuzzy Hash: 08E1AC30B493858FD752EB78985469A3BF1AF86310F1A80F7D144CF697EA28DC46C761

Uniqueness

Uniqueness Score: -1.00%

Function 06A416C8, Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a1712c1065e504ba7c3e6f5099d2dda53f7cd0cd50a1cb7b372f7773694c8
Instruction ID: f17548dbed78269f7825e0bb67371c85a97452e56eaa1e440e16113d70510f57
Opcode Fuzzy Hash: 581a1712c1065e504ba7c3e6f5099d2dda53f7cd0cd50a1cb7b372f7773694c8
Instruction Fuzzy Hash: 96B1EC357086149FDB15BB64C894B7E7BE6AFC9244F088429E90A9F394DF74CC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A4E378, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a75f74532d2b9918022ba7629b1f2fcdac7eeba3bbf7623289298797e5de1ab
Instruction ID: 8de41e4d081dcae069ee080cccc4eb3caadaad44873f9897668a8374d5bfc712
Opcode Fuzzy Hash: 7a75f74532d2b9918022ba7629b1f2fcdac7eeba3bbf7623289298797e5de1ab
Instruction Fuzzy Hash: 45C1BE30B042418FDB45ABB4985466E7BE2AFCA350F25846AE405DF395EF388C06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06A44C78, Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4599fed932ae17dfae3f3d9c9e0abffdd450aea85b967a2bc06903dd07e3b135
Instruction ID: 94d6f5772fd28f79f5aba20cc8016887df1b305f614a59f2da4beedbb3ad4d32
Opcode Fuzzy Hash: 4599fed932ae17dfae3f3d9c9e0abffdd450aea85b967a2bc06903dd07e3b135
Instruction Fuzzy Hash: 38D10975E011148FCB54EFA9D984A9DB7F6FF8C714B2680A9E415AB361CB30EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06A4D718, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8405e6f6f47ad9895f723da58f235c0641ac62bdcabed7e7d0629eea435efcaa
Instruction ID: 9dfbfa260e650b62e92cb6bf7edd29300bbbedbc64ee413303e9c80ac66a6edf
Opcode Fuzzy Hash: 8405e6f6f47ad9895f723da58f235c0641ac62bdcabed7e7d0629eea435efcaa
Instruction Fuzzy Hash: D4A1FF32B005108FDBA8BB78CC5476EB7A2AFCA214F168479D459DF7A5DB36CC028791

Uniqueness

Uniqueness Score: -1.00%

Function 06A44B57, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f092b96b41ac40d6ee336853084c568401134f33a41d20e9cf8adf4434afae3
Instruction ID: 494b559fc4f3ccbbe38a43dbc08bf5ccd67817a3efb15faaf4df520b39368c81
Opcode Fuzzy Hash: 1f092b96b41ac40d6ee336853084c568401134f33a41d20e9cf8adf4434afae3
Instruction Fuzzy Hash: 94D1E971E01219CFCB44EFA9D984A9DBBF2FF88354B2A8195E415AB361CB34EC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06A4F498, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f12c95061de6dd6647c77b25d252f2298fda9a8a27a554eddaeb4201cc4a8de
Instruction ID: 555a69bafd30028de13450fd19c78445f6edc9e5b69e80430c96b0e0b743fe27
Opcode Fuzzy Hash: 1f12c95061de6dd6647c77b25d252f2298fda9a8a27a554eddaeb4201cc4a8de
Instruction Fuzzy Hash: 1AC1BD31A04259DFCF55EFA8CD40ADDBBB2FFC9310F118166E805AB261D775A851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A42D40, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ad70081d5f2e1702117bfcc32cd265bc1264d7806347cc026eb55714ac3536
Instruction ID: 5f88b41e0b41a2e514adbd2cdeb29daa085b23da1658948f2b968b4693e8bf8f
Opcode Fuzzy Hash: 76ad70081d5f2e1702117bfcc32cd265bc1264d7806347cc026eb55714ac3536
Instruction Fuzzy Hash: A9C13B30A002099FCF54EFAAC984A9EBBF2BF89314F158559F855AB761D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A4F158, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4018ef4accf8d2a9050e5b3314389a81af663bbb8856764e70c147616e36b82e
Instruction ID: ecf7a27c404023de59415ce37d08b80717005ea9fcaa8b65e730a567e63f9a57
Opcode Fuzzy Hash: 4018ef4accf8d2a9050e5b3314389a81af663bbb8856764e70c147616e36b82e
Instruction Fuzzy Hash: 7EA15B34B006458FDB55FF68C844AAE7BE5AFC9240F2950AAE815CF361DB74EC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06A45688, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7f8a73edbd2e93656ad51ba72512b007d9223a61996ea565904a7241193529
Instruction ID: e4d7721e43d71effaa0124fe43dad74cfc9bfe774d7e9f5255e47b6ec09f709f
Opcode Fuzzy Hash: 5c7f8a73edbd2e93656ad51ba72512b007d9223a61996ea565904a7241193529
Instruction Fuzzy Hash: 04914B35E04255CFCB55EF69C884AAEBBB5EF85310B1684AAE8159B262C731E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A41AC0, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81fa8cd46590d008181c73907498817ad8ed6240a5376517d771a9e1265e14b
Instruction ID: d3d6befc5e4ac05d42c81ea74b5d546d89e6f541aa4ae5b3b9aab7c3ab1ca60e
Opcode Fuzzy Hash: c81fa8cd46590d008181c73907498817ad8ed6240a5376517d771a9e1265e14b
Instruction Fuzzy Hash: 37819E34B006058FDB94FF69CC84ABABBF2AFC9249B158169D416DB361D730EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A4E4C8, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d840fd75ed481a48626d84b63802a06e6d731f815e5defae1fe62d545c4e3
Instruction ID: 3990f1a117e8d8ca97664ff437a06f4c6ef9b9528a287f4b6763405c812144a9
Opcode Fuzzy Hash: f64d840fd75ed481a48626d84b63802a06e6d731f815e5defae1fe62d545c4e3
Instruction Fuzzy Hash: C1717F35F002059BDB58EBB5D86576E76E3AFC8354F248829E406DB394EF788C4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 06A4D4AF, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934853b4bcd31e3e33a87d3d4eff668bff9b3133bbc930e834a2708a4042cad4
Instruction ID: 6a8c10a1fbebd615a30ff6076a9b2b80b963a7a611ecb8c5606823e5f089a253
Opcode Fuzzy Hash: 934853b4bcd31e3e33a87d3d4eff668bff9b3133bbc930e834a2708a4042cad4
Instruction Fuzzy Hash: 28719E30B093848FD745EB78D8546AD7BB1EFCA314F1680AAD544DF696DB288C06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06A43AC8, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d486a268cb1c1f522dbe4e91c84243e046565c5aea5ce3f4cd523d9ddc8e40
Instruction ID: 4c86e6d5ff3ddc356371b706ebd34e42fe79e8b22a067c93a1c04076167e3008
Opcode Fuzzy Hash: e0d486a268cb1c1f522dbe4e91c84243e046565c5aea5ce3f4cd523d9ddc8e40
Instruction Fuzzy Hash: 61516F317145158FDB94FF3ACC85A6ABBE9FF8565071581AAE406CF262DB31EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A4E7B4, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd6cd5226e7268883ad9c3c732babb031a745494cc7f080e498eaaba58d76c1
Instruction ID: 516f561b2714a9c96bc1c391d53a4fcc32b7102e5f996703e8aae168c53a3508
Opcode Fuzzy Hash: efd6cd5226e7268883ad9c3c732babb031a745494cc7f080e498eaaba58d76c1
Instruction Fuzzy Hash: B4414D35B002058FDB58BB74C86976E7AE2BFCC254F244429D806DB395EF788C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A4F653, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74a715d07debefebbce9cd10f485362bee642216f540542435b95cc6163a89f
Instruction ID: b32881b7e852cf8e6d6a71a9d04fb9b320c2e5f72f6fc2c28f20774122618f1c
Opcode Fuzzy Hash: f74a715d07debefebbce9cd10f485362bee642216f540542435b95cc6163a89f
Instruction Fuzzy Hash: 9241DF31A04259DFCF41EFA4CC40A9EBFB2AFC9314F018156E805AF2A5D374E914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A458FA, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b87a0721899f2a448f43120d19fdc5c4b2babb103aa4a13aa424424ded6ea2
Instruction ID: 18f1659b9d3bc04405d9bf6bf847c65976e80757e97af81ef98a41e8dd97abd0
Opcode Fuzzy Hash: 25b87a0721899f2a448f43120d19fdc5c4b2babb103aa4a13aa424424ded6ea2
Instruction Fuzzy Hash: E041B1317056159FDB15EF24D8546AE3BF2EFCA221B0580AAE449CF352CB39CC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A438D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa67d957acd32dbc0ed2240cff967090d116789ce0d0fdac716f0b08a5a3d15
Instruction ID: 3ce6bb16734c5b17fe4172c5fbf4ddded477bc8a8ecc54986fa9c1622c33abd8
Opcode Fuzzy Hash: 9fa67d957acd32dbc0ed2240cff967090d116789ce0d0fdac716f0b08a5a3d15
Instruction Fuzzy Hash: 94413574A001098FCF54AF6AC898AAE7BB5FF88350F100069F9168B3A1CB72DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A43D09, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb4bc4b2087d2e7a42c3e985bef11f9793baa1673c98a890521eefe8588a884
Instruction ID: 217912dfd04bdc7bf078895d264c53c1a35a6368818e8aee7316456505fe3651
Opcode Fuzzy Hash: 5bb4bc4b2087d2e7a42c3e985bef11f9793baa1673c98a890521eefe8588a884
Instruction Fuzzy Hash: 9C21FF317142158FDF5937368C9623E7BEB9FC5504718847AD902CF3A2EB28CC029381

Uniqueness

Uniqueness Score: -1.00%

Function 06A43D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc9b075952e5a1bd90cd268f7aae90b4f9868980915dd36ee7cfeb22cf6967f
Instruction ID: 8b99ab096a8072af76bc2617111898ff6b5b4889a1e1c47247fdbf6a51ee0f3b
Opcode Fuzzy Hash: 5bc9b075952e5a1bd90cd268f7aae90b4f9868980915dd36ee7cfeb22cf6967f
Instruction Fuzzy Hash: 4021B0317102194BEF5877368C9567E3AEB9FC5654F248439D902CF7A4EF69CC429381

Uniqueness

Uniqueness Score: -1.00%

Function 06A4AB19, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131643f92b61d1e94def1c89fb1aeeae6f49427bb319e8dcf2ef72a8bdf014a7
Instruction ID: 7c620cd4b2f6cfb7f883a533d4d6ab5487a868134a2244223f27fcaf0a2702a2
Opcode Fuzzy Hash: 131643f92b61d1e94def1c89fb1aeeae6f49427bb319e8dcf2ef72a8bdf014a7
Instruction Fuzzy Hash: 8231F470E452088FCB40EFB4D98469DBBF2FF89315F25816AD108DB246D3389C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A414F0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b433e509003bd387a5414b66c4c5dc7b038bbeef0ec2d2c72caa06ad493a97
Instruction ID: c30d343c6232aa9e305bd4ee7baf5eec978e8e3b232a812873dc84aaf13b1cec
Opcode Fuzzy Hash: 64b433e509003bd387a5414b66c4c5dc7b038bbeef0ec2d2c72caa06ad493a97
Instruction Fuzzy Hash: 5E316B31600109AFCF45BF59D844AFE3FB2EB88211F04801AF9168B255CB35CDA2DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06A43C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f146ea67a56f3636dd2c757709cfc4e6e89df6184d7fac87a5ab6b37ff3d5797
Instruction ID: 3d1967bbad0df1edad3be304db098ece082746a34e5720c13449b4f59d1aff30
Opcode Fuzzy Hash: f146ea67a56f3636dd2c757709cfc4e6e89df6184d7fac87a5ab6b37ff3d5797
Instruction Fuzzy Hash: 8E21AD317042698FDF95FF679C80A6F7BBAEFC5240B054426E812CB241DB75E808D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 06A4CBE0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777180fe8b4c4cdc992b83268a9ca9c2f11d8e88c0d09f6382f3bfce32f1a389
Instruction ID: b680e737b17033b2218e98ad073615140da4101e8714cba4afac43b9372e594a
Opcode Fuzzy Hash: 777180fe8b4c4cdc992b83268a9ca9c2f11d8e88c0d09f6382f3bfce32f1a389
Instruction Fuzzy Hash: 5921AF75F012159FDB50BFB988046AEBAF5AB88250F104025E90AEB384EB349D418BE8

Uniqueness

Uniqueness Score: -1.00%

Function 0317D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.932756481.000000000317D000.00000040.00000001.sdmp, Offset: 0317D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3072dbfaec9e91c948fc5f412d719a0d33c8471adff20fab98cc80ab581fcb61
Instruction ID: 5a7b8ad0e9aef4d427dd62158f8deb68fc9736934b30310e816355823e9a10da
Opcode Fuzzy Hash: 3072dbfaec9e91c948fc5f412d719a0d33c8471adff20fab98cc80ab581fcb61
Instruction Fuzzy Hash: 9C2128B1508248EFDB15DF10E9C0B27BB75FF8C324F2885A9E9064B606C336E846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0318D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.932826668.000000000318D000.00000040.00000001.sdmp, Offset: 0318D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a409098cdc7d0b4e77ab064b2bc80ac2f11ee263043f80f9c66701d82762923
Instruction ID: c80bdb0b751aa76f648df7fbf013eb82b82ac667aec4a1603be8123be6262eba
Opcode Fuzzy Hash: 4a409098cdc7d0b4e77ab064b2bc80ac2f11ee263043f80f9c66701d82762923
Instruction Fuzzy Hash: 7721F571608344EFDB14EF14E8C4B26BB65FB8C314F24C5A9D8094B386C736D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 06A419E0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea1e1a1973370e05ea2b2aecb8fe2c218e3d9903575b3f8a985263293ec1c2b
Instruction ID: 492cae5ec4529b97fecc84708f7b1d249e85171e5ef703b72b52457ba69314f3
Opcode Fuzzy Hash: 1ea1e1a1973370e05ea2b2aecb8fe2c218e3d9903575b3f8a985263293ec1c2b
Instruction Fuzzy Hash: F8110132701A158FD714BB29C88057AB7A6EFC4260B184179E907DF350DF20DC42CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0318D007, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.932826668.000000000318D000.00000040.00000001.sdmp, Offset: 0318D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6694bd1927c677a95df50dd5b0b75378fc085de6d5466c0745b0e5a012e895
Instruction ID: db241236c2d4868c72caf27c9e75a352b9612ebff9a33e4a2ac10b06408f7bf1
Opcode Fuzzy Hash: 7f6694bd1927c677a95df50dd5b0b75378fc085de6d5466c0745b0e5a012e895
Instruction Fuzzy Hash: 48218E755093808FCB02CF20D994B15BF71EB4A214F28C5DAD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06A4F738, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3badaa8500c42f55da16343fd79f8d821e190b06c87d9f06d7ff07a7885220
Instruction ID: 7914555472b0672ecc6fb493814f422646226ea2083aefbec4b5147815bc103b
Opcode Fuzzy Hash: 3e3badaa8500c42f55da16343fd79f8d821e190b06c87d9f06d7ff07a7885220
Instruction Fuzzy Hash: 9811BE31A04205DFDF50FFAACD80B9ABBA2AFC5324F058655D418AF291D371F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06A45852, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa29c53d80cf3eb336c833839b78ec4b79bdaf00e19ac4ac52e24554d0f418e3
Instruction ID: dd3bbafeea92c67ce362faaa3f4f9c497e7777669eed03517332575499a8c79c
Opcode Fuzzy Hash: aa29c53d80cf3eb336c833839b78ec4b79bdaf00e19ac4ac52e24554d0f418e3
Instruction Fuzzy Hash: B5114F75E0125A9FCB40EFA9D8405EEBBF5FF88210F14852BE415EB341D7748A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A414E0, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddc2d7453f868c8088a56e4abee3b02c0b89c617198ff022d6835113da635ba
Instruction ID: 57b831e545d661af825213117a58704bc8971520fb82769590faf7d22c0537dd
Opcode Fuzzy Hash: 0ddc2d7453f868c8088a56e4abee3b02c0b89c617198ff022d6835113da635ba
Instruction Fuzzy Hash: CE1191316012599FDB41FF19D844BBA7FB6EB89211F144026F91A9F301C734CDA1DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0317D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.932756481.000000000317D000.00000040.00000001.sdmp, Offset: 0317D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 82c1ed4ee8cb5fe62b4cda4df2c457ac5f7d76e8549f873a11b57e08728f47f8
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 3511B176404284DFCF11CF10E5C4B16BF71FF88324F2886A9D8054B616C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06A42617, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcd646f54f7f3e4a17022e5687366ebe951c5bb966f2e2d4b62d03471ce6c45
Instruction ID: 1c0b52de8ed10f9d1ba10d595a3ebefa3591e359d5f9c2fd206ea41e138acb1a
Opcode Fuzzy Hash: 7bcd646f54f7f3e4a17022e5687366ebe951c5bb966f2e2d4b62d03471ce6c45
Instruction Fuzzy Hash: 4D115B71D00208DFDB64EF94C948BAABBF6EF88314F04842AF5199B611D775DA58CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A4BCD0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a474882cebc19493d92561f65759f99fc12af5048e9402019be15ecd2ea634fb
Instruction ID: f6b91ecb3e541d0bade3c2d4205479e19f471e908f56c8ac91fafcf206e4e525
Opcode Fuzzy Hash: a474882cebc19493d92561f65759f99fc12af5048e9402019be15ecd2ea634fb
Instruction Fuzzy Hash: 8B112E35B112188F8B40EF78E84999EBBF5FF8C2117108429E54AD3754EF789D02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A41628, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b365bb87d72fce647c5a6810085bb577a93565c1da0dc47b243f0926b0781f
Instruction ID: 7208ea912c689aacff33eeddc6ffdc9e56719d6b235f335542d7788481e643cb
Opcode Fuzzy Hash: 84b365bb87d72fce647c5a6810085bb577a93565c1da0dc47b243f0926b0781f
Instruction Fuzzy Hash: A801B532B045586BDB15EE599C00AEF7BEBDBC8690F18801AF515DB250DB71CC1297D4

Uniqueness

Uniqueness Score: -1.00%

Function 06A43A20, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d23990482e652f0839f17d4de7828a9c1d622e3671937385be209d32f368e73
Instruction ID: b6770dfc17d0fbcafabdc635584520fa3dd9ae80805e90e66dd55f0a60e8d821
Opcode Fuzzy Hash: 3d23990482e652f0839f17d4de7828a9c1d622e3671937385be209d32f368e73
Instruction Fuzzy Hash: 7FF0AF317805104F8F557A2F9C54A2A7ADEEFC4AA031540B9E805CF361DF22CC02C390

Uniqueness

Uniqueness Score: -1.00%

Function 06A4AE20, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a266b080eb9697b8bf1c5cc7a0bee5115d50cfe5c7d662cfb027caf00daaab
Instruction ID: f6f039bdfc0b251e4c27f5939ddae6566f48a994587abb466468ef3109dce23d
Opcode Fuzzy Hash: 91a266b080eb9697b8bf1c5cc7a0bee5115d50cfe5c7d662cfb027caf00daaab
Instruction Fuzzy Hash: 23F0A435F502259BCB54BEF9DCC16AFB365EB86255F104839D619CB254E621DC048391

Uniqueness

Uniqueness Score: -1.00%

Function 06A4AAA1, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee223b910c26eeb148ae023a2b9b34d969443f0578f3e79b52dba1c87e6d7ecb
Instruction ID: c93355c70fcba64164d73b3f249bc3fe3668cfb5b3f938606c4f231af4e6d62c
Opcode Fuzzy Hash: ee223b910c26eeb148ae023a2b9b34d969443f0578f3e79b52dba1c87e6d7ecb
Instruction Fuzzy Hash: 53F08271E042199FC740EF6C984459EBBB9EB8C220B054275D51DD3304E6349A428BE0

Uniqueness

Uniqueness Score: -1.00%

Function 06A4AAB0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c179bfdd3a1e3b40fdaf0d97328abfe62de9a8543ec8672b415261238a85dbb
Instruction ID: f0f45e6a525f690ddf38719ce0bdc95498b4cb40246f2c98b42b8c01db747622
Opcode Fuzzy Hash: 0c179bfdd3a1e3b40fdaf0d97328abfe62de9a8543ec8672b415261238a85dbb
Instruction Fuzzy Hash: 46E01271E042199F8740ABAD98055AE7BF9EA8C221B104076E51DD3304EA3089418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 06A4BD31, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b336873acf05998e170821292905fa70ceb24ce74b56441a27688e87fd227d0
Instruction ID: 007519eb65171106adf197235899bda5f205894f32aa9e58f259bbb357f8de87
Opcode Fuzzy Hash: 5b336873acf05998e170821292905fa70ceb24ce74b56441a27688e87fd227d0
Instruction Fuzzy Hash: 82E0C935B111188B8B84FBB8E8494DDB7F1FFCC221B114065E50AD3794EE389C01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A43A13, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcea5aa59eb8a94f3e6c03de415ee96cedf52533631340fafb367394467d304e
Instruction ID: 1baa1a229d0193e72df82269b1045de44c388f373d385698b491e6c4482c5d4f
Opcode Fuzzy Hash: fcea5aa59eb8a94f3e6c03de415ee96cedf52533631340fafb367394467d304e
Instruction Fuzzy Hash: B5D0C237B85510278F20219F6C40762A998CFC53B1B090276FA1EC7340D922C8000290

Uniqueness

Uniqueness Score: -1.00%

Function 06A44890, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: d21cef3e40efed2a28af8c71e9f9874d43adfcf07552ef994139f283f3ed7414
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: F8C01233A2C2286AA664308E7C40AA3AA8CC2C92B5A250237F51CD720098829C8001E5

Uniqueness

Uniqueness Score: -1.00%

Function 06A41D70, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed22170d1c67ba9bca7a59aeb9fe8649b7f4da54fce8754788bf3a65c94ce02
Instruction ID: 250939db8a617c78abb9359f0d914079cee2de2a03eff52ba4abcb4bec857d8f
Opcode Fuzzy Hash: 7ed22170d1c67ba9bca7a59aeb9fe8649b7f4da54fce8754788bf3a65c94ce02
Instruction Fuzzy Hash: 9CD0123405A7496FDB45DB30F8854997B369B812093048A6690444E669DB795E0A9B82

Uniqueness

Uniqueness Score: -1.00%

Function 06A44A5D, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f7153f79ec5677d85ff823281b096a0c4cbe246e20f4855e9161d3316533ce
Instruction ID: 70a3c905378e9ade35e2e3331c806ad7e51217f29fae2f2207ae14a2c7df624f
Opcode Fuzzy Hash: e5f7153f79ec5677d85ff823281b096a0c4cbe246e20f4855e9161d3316533ce
Instruction Fuzzy Hash: 34D0673AB500189F8B049F98E8408DDFB76FF98225B058116FA15A3265C6719921DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A41D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.939912770.0000000006A40000.00000040.00000001.sdmp, Offset: 06A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8794d502d2488985e37b862a9b1a4c2e4a23d11d237449c5ec97cd7d47f065
Instruction ID: 7e164bfee74b1ec7e1c8c97b71874d2fdca656f8d535bf8135ddaf246e904eba
Opcode Fuzzy Hash: 7b8794d502d2488985e37b862a9b1a4c2e4a23d11d237449c5ec97cd7d47f065
Instruction Fuzzy Hash: 3EC01234069309579A44FF60F880459736E97C42083408D21A0040D728EF786E0947C6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 5608 Parent PID: 3424 kprUEGC.exeCOMMON

Executed Functions

Function 00ADB681, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00ADB6F0
GetCurrentThread.KERNEL32 ref: 00ADB72D
GetCurrentProcess.KERNEL32 ref: 00ADB76A
GetCurrentThreadId.KERNEL32 ref: 00ADB7C3

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6c1f462519293f0b46a4b43b8a1d7817a2597aff045bbae249e2266e4e1a77f5
Instruction ID: 634ebee4e21aa0be714b1257577bd35e9b265cbc1108966e518ed21d4deb7ae5
Opcode Fuzzy Hash: 6c1f462519293f0b46a4b43b8a1d7817a2597aff045bbae249e2266e4e1a77f5
Instruction Fuzzy Hash: 3A5177B0D05348CFDB10CFAAC588BEEBBF0AF88304F20856AE419A7360C7745844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00ADB690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00ADB6F0
GetCurrentThread.KERNEL32 ref: 00ADB72D
GetCurrentProcess.KERNEL32 ref: 00ADB76A
GetCurrentThreadId.KERNEL32 ref: 00ADB7C3

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e2d5faa99662dc4987c3692886a8f9afdd7bde2c10f315f2f7831905cd8124c2
Instruction ID: 9930ca163020974e43e4993ce2fec6fa380e458a3537fe3c4fbbe058f1fcbaf5
Opcode Fuzzy Hash: e2d5faa99662dc4987c3692886a8f9afdd7bde2c10f315f2f7831905cd8124c2
Instruction Fuzzy Hash: 215153B0D01249CFDB54CFAAC588BEEBBF0EF88314F20846AE419A7360D7745844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ADFE0A

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7386c06ceb440cdf6507ead4cb5b62ea7ee14cbcf4280cfb0d31f600ebe13e34
Instruction ID: f7c70b949f3eb148ed95e7a6b316e6600445e111f3ddd6600abaa1b9e48aeb28
Opcode Fuzzy Hash: 7386c06ceb440cdf6507ead4cb5b62ea7ee14cbcf4280cfb0d31f600ebe13e34
Instruction Fuzzy Hash: 3641B0B1D003099FDF14CFA9C884ADEBBB5BF48314F24812AE419AB261D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFCF7, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ADFE0A

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f45fd002461d051618b4db6bca418b2e74dfd8c0ce4ce4183807bb25ffe6493
Instruction ID: e3255bc80de1d3356336c69f296649bcd7ccf1fe2b113139d2216d62c1c4ec57
Opcode Fuzzy Hash: 2f45fd002461d051618b4db6bca418b2e74dfd8c0ce4ce4183807bb25ffe6493
Instruction Fuzzy Hash: 1941B0B1D003099FDF14CFA9D884ADEBBB5FF48314F24812AE419AB261D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD5421

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 38bf4c6192928dd2163b680dae168d8d78a1848136b1e7a1a167d29d8ae49a20
Instruction ID: cbb5683966aa3009e9b5a2a33063931837fc5ada53cfb8357d28c4833d132012
Opcode Fuzzy Hash: 38bf4c6192928dd2163b680dae168d8d78a1848136b1e7a1a167d29d8ae49a20
Instruction Fuzzy Hash: F941F6B1C04618CFDB14DFA9C844BDEBBB6BF48304F10846AD409AB351DBB55945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD536F, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD5421

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ffc7e46e63b99ad711f1cd23ca019dbd7b12a00f6f4f8c60afaa12539990bb90
Instruction ID: 40e6e2cb172b21df3f157a1fe6806d1e8a7ce0d3a9c1bc3480122eb5dd45b37b
Opcode Fuzzy Hash: ffc7e46e63b99ad711f1cd23ca019dbd7b12a00f6f4f8c60afaa12539990bb90
Instruction Fuzzy Hash: 6741F7B1C04618CFDB24DFA5C8447DEBBB6BF58304F10805AD409AB251DB755946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADB8B3, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ADB93F

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ff34e423aa6ae7d42556bbb7adf7e0e66781dfad25a86a43fb6fac2eca4a097e
Instruction ID: b5dde5b6ac8009876cf4818415d7d5dc10da8c8eaa4cc1b9ae9dcd4975a2929e
Opcode Fuzzy Hash: ff34e423aa6ae7d42556bbb7adf7e0e66781dfad25a86a43fb6fac2eca4a097e
Instruction Fuzzy Hash: 6C21E3B5900259DFDB10CFA9D884BEEBBF8EB58320F14801AE915A7310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADB8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ADB93F

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ea9d3f0571d9ca296e7d9b42b24886e48b6d6450a32fc1ac876f750252ca68d
Instruction ID: 289d959759e5fae3af7761f2e5a490cfe87f6affc77268586f8d203a850d372a
Opcode Fuzzy Hash: 8ea9d3f0571d9ca296e7d9b42b24886e48b6d6450a32fc1ac876f750252ca68d
Instruction Fuzzy Hash: 3921D5B5900259DFDB10CF99D884BDEBBF8FB58324F14841AE915A7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00AD9951,00000800,00000000,00000000), ref: 00AD9B62

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 712c8bc284d1303bf338c8983f05c802c6de26f39fef29745e2837594f1dab3e
Instruction ID: da8751010ff8ceb69c2ae9b3e939335d8d5ddb9d55a96b83842b94705ee5f32a
Opcode Fuzzy Hash: 712c8bc284d1303bf338c8983f05c802c6de26f39fef29745e2837594f1dab3e
Instruction Fuzzy Hash: BC11F2B69002499BCB10CF9AD444BEEBBF4EB58324F15852AE416AB710C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9AF4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00AD9951,00000800,00000000,00000000), ref: 00AD9B62

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8aa827a3b9d8233f21e407526a8f3a3eee8fd002d52d3088350f67c3707e7a02
Instruction ID: c29f2deefc1b738f0059ebd13756cef1e28fc5ee3623c3a47c846965f6066ea8
Opcode Fuzzy Hash: 8aa827a3b9d8233f21e407526a8f3a3eee8fd002d52d3088350f67c3707e7a02
Instruction Fuzzy Hash: 4F1114B6C003498FCB10CF9AD444BEEFBF4AB98314F11852AD416A7710C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9868, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00AD98D6

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7783ca7a6e05f2187786a60dfb2604610cbe6a1405c9cc08d4ccbe2e87031b26
Instruction ID: 4fee791196e0a5d2e4ef9a9ca59edce8fb0a7694e23a7a9b3214ac7085dec246
Opcode Fuzzy Hash: 7783ca7a6e05f2187786a60dfb2604610cbe6a1405c9cc08d4ccbe2e87031b26
Instruction Fuzzy Hash: BC1120B6C002498FCB20CF9AD444BDEBBF4EB99724F14816AC459A7700C379A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00AD98D6

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 495fe997f2be4600a91c7b00bfb01e3dcc5c3849784857ca21f014f85ee44c46
Instruction ID: 5af00ffccd485b9a74fda7959f81add32f9858f136513973ce1bdbde3acb0b1d
Opcode Fuzzy Hash: 495fe997f2be4600a91c7b00bfb01e3dcc5c3849784857ca21f014f85ee44c46
Instruction Fuzzy Hash: DC110FB6C002498FDB10CF9AD444BDEFBF4EB89724F14842AD419A7700C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFF38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00ADFF9D

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 35015e3b527569c25ad782b87302eae74d6b4f578223d85eee399dcfab9e765c
Instruction ID: f1ba67c63d76f705126a48d67fe1e9755f062a94b6b9d89278f324df2d338592
Opcode Fuzzy Hash: 35015e3b527569c25ad782b87302eae74d6b4f578223d85eee399dcfab9e765c
Instruction Fuzzy Hash: A91142B58002488FDB10CF99D485BDEFBF8EB59324F10841AE85AA7740C378AA40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00ADFF9D

Memory Dump Source

Source File: 0000000A.00000002.761917842.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cfa6c5f68c866c69e1b79cc58b28fcf780c2cb3268a9603708d3273aae742539
Instruction ID: 61f6ee674d940f57c5113be9f2f9f31d93140f5f5f627db190b17ec826b02077
Opcode Fuzzy Hash: cfa6c5f68c866c69e1b79cc58b28fcf780c2cb3268a9603708d3273aae742539
Instruction Fuzzy Hash: DF1112B58002499FDB10CF9AD484BDFFBF8EB58324F10841AE815A7340C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 4928 Parent PID: 5608 kprUEGC.exeCOMMON

Executed Functions

Function 02CC6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02CC6BB0
GetCurrentThread.KERNEL32 ref: 02CC6BED
GetCurrentProcess.KERNEL32 ref: 02CC6C2A
GetCurrentThreadId.KERNEL32 ref: 02CC6C83

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36d5b913e8f750424bfa26cb4d52386606d3547db2fdc2b26df7d33de64a34a2
Instruction ID: d2bb4f0dbf9b176d396096792e876eebb848fb22d0f0e6a9c8a23fc10ddd269d
Opcode Fuzzy Hash: 36d5b913e8f750424bfa26cb4d52386606d3547db2fdc2b26df7d33de64a34a2
Instruction Fuzzy Hash: 3A5146B0A007499FDB54CFAAD648BDEBBF5EF88314F208499E019A7750D7346944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CC52A2

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5a13cdadfe5a4b18338dcbe508447baff5fbf9b25ba0423d344bdac320e1373b
Instruction ID: 21b33aed53d482f50ffdfaeaa82fd8d2ccefc69f296f06ec1b8a80c7bbf464ac
Opcode Fuzzy Hash: 5a13cdadfe5a4b18338dcbe508447baff5fbf9b25ba0423d344bdac320e1373b
Instruction Fuzzy Hash: F751C0B1D103099FDB14CFD9C884ADEBBB5BF88354F64812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CC5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CC52A2

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f2021774c30ff9621b22ddf37834709bd517bdd41c3d7868f39887ffe828d4bc
Instruction ID: 5830bf59460117724016a633b78fbb655e531f22799f747238f8740d202c3631
Opcode Fuzzy Hash: f2021774c30ff9621b22ddf37834709bd517bdd41c3d7868f39887ffe828d4bc
Instruction Fuzzy Hash: 3F41C0B1D103099FDB14CF99C884ADEBBF5BF88354F64812AE819AB214D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02CC7D01

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0d7358e52f1881992dd6e6b373ca5eae11c87ab6037f138d2aaaf46c64e91054
Instruction ID: 78de029d7c76b62a3a104a9fa54a6b13bb293dcbe5db550ce67a4e0e8df2c008
Opcode Fuzzy Hash: 0d7358e52f1881992dd6e6b373ca5eae11c87ab6037f138d2aaaf46c64e91054
Instruction Fuzzy Hash: B84139B5A007058FDB14CF99C488BAAFBF5FB88314F24845CE519AB320C734A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02CCC3B9, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02CCC442

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e1a688d50361f4ab863bf3740ca84a5b92992f9195351740a0f38ec5d315f759
Instruction ID: 8e58ca48846b589171803311e8d7eb73652f2f01b9c83d52ffb7897d0f26273e
Opcode Fuzzy Hash: e1a688d50361f4ab863bf3740ca84a5b92992f9195351740a0f38ec5d315f759
Instruction Fuzzy Hash: B931D1709053459FDB10CFA9EA443AE7FF0EB4A318F14846AD448A7742C7796906CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6D71, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CC6DFF

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 754feb6c9d689e61b84bef0963d313bf6ad5bb8e9931b6af82ffe9ef2e64eeed
Instruction ID: d52b73a19c30d3bee25b60438bfbb9e785268658b208cd02c91aa33a4bae8de9
Opcode Fuzzy Hash: 754feb6c9d689e61b84bef0963d313bf6ad5bb8e9931b6af82ffe9ef2e64eeed
Instruction Fuzzy Hash: 7121E4B59002489FDB10CFA9D984AEEBBF4EB88324F14841AE854A7310D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CC6DFF

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c0e448fdfa116f8d6b25225f724c8f52c0882edec2d52d9ff2d95dc4b467df4
Instruction ID: 73ac17da7b2e9aa8106f4f1678cd07d7ea7be67370a7653a1f85adfee5448f21
Opcode Fuzzy Hash: 6c0e448fdfa116f8d6b25225f724c8f52c0882edec2d52d9ff2d95dc4b467df4
Instruction Fuzzy Hash: F421F5B59002489FDB10CF99D984BDEBBF8FB48324F14801AE914A7310D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCC3C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02CCC442

Memory Dump Source

Source File: 0000000D.00000002.934041758.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b505efcfdc0e3defc210fd3a52559154310057677ae04b2ebd1e36610eb8a134
Instruction ID: a0ae4338df3eca01fe53c094b83716cd624e2e23d1d64ce32809bed9abcbafb9
Opcode Fuzzy Hash: b505efcfdc0e3defc210fd3a52559154310057677ae04b2ebd1e36610eb8a134
Instruction Fuzzy Hash: 36116D709013058FDB10DFA9D5487AEBBF4EB49314F20C42AD405E7700C7796A45CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 6300 Parent PID: 3424 kprUEGC.exeCOMMON

Executed Functions

Function 009DB681, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 009DB6F0
GetCurrentThread.KERNEL32 ref: 009DB72D
GetCurrentProcess.KERNEL32 ref: 009DB76A
GetCurrentThreadId.KERNEL32 ref: 009DB7C3

Strings

8}, xrefs: 009DB7AE

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: 8}
API String ID: 2063062207-3121977024
Opcode ID: f4c98893792050e272518afeee54133e91ee68769be19aee9b0e2f3fc10c6242
Instruction ID: 6e1c10098d558294c7a4af79fc61d3efc268e6caa726848275f85f742ec4cf9f
Opcode Fuzzy Hash: f4c98893792050e272518afeee54133e91ee68769be19aee9b0e2f3fc10c6242
Instruction Fuzzy Hash: 435147B4905248CFDB14CFAAD9887AEBBF1AF88314F24845AE419B7760CB745844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 009DB690, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 009DB6F0
GetCurrentThread.KERNEL32 ref: 009DB72D
GetCurrentProcess.KERNEL32 ref: 009DB76A
GetCurrentThreadId.KERNEL32 ref: 009DB7C3

Strings

8}, xrefs: 009DB7AE

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: 8}
API String ID: 2063062207-3121977024
Opcode ID: 9b9ae5aed0ffa7ea6542d424dab9b02b3009a3eb4d6e0d24fed49ef6ce444eb6
Instruction ID: 18c2a039257dfe1825d9ba7f9d08abb56ad374b5e2fa05e666aaf7b78c81ba32
Opcode Fuzzy Hash: 9b9ae5aed0ffa7ea6542d424dab9b02b3009a3eb4d6e0d24fed49ef6ce444eb6
Instruction Fuzzy Hash: 715154B0901248CFDB14CFAAD988BEEBBF1AF88314F20845AE019B7760CB745844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 067E472C, Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 067E488B

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 11fb31e3d80fac0afc3d7aca8858d6fa8e7558da32e851f24bcd3b027270b250
Instruction ID: 2c81107a31b221568c0b5a974c55224304b277ad06221774baa819bbca74ab84
Opcode Fuzzy Hash: 11fb31e3d80fac0afc3d7aca8858d6fa8e7558da32e851f24bcd3b027270b250
Instruction Fuzzy Hash: 32511571D013699FDB60CF99C880BDDBBB2BF48314F15819AE808B7250DB719A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067E4738, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 067E488B

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e27b898f27f5ebabef1a33030f117179b0e959c3fe30be060a79cb3a124de2c4
Instruction ID: 7a5dd11a0629fdbb154febe0bf54e876b4611cb664d692c93cf55d836c6eea46
Opcode Fuzzy Hash: e27b898f27f5ebabef1a33030f117179b0e959c3fe30be060a79cb3a124de2c4
Instruction Fuzzy Hash: C551F471D003299FDB60CF99C980BDDBBB6BF48314F15819AE808B7254DB719A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009DFCED, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009DFE0A

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c5dd09ffd956aed99096c83ec8c08916a08ebbbd27c8e9b2c655f6d59f7d96e4
Instruction ID: 0649aab60a617ee4f8520b72a81784d9495e5f07ef3f6c37085a47e2feedfff5
Opcode Fuzzy Hash: c5dd09ffd956aed99096c83ec8c08916a08ebbbd27c8e9b2c655f6d59f7d96e4
Instruction Fuzzy Hash: 8151FEB1C003089FDB14CFAAC890ADEBFB5BF88314F24812AE419AB260D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009DFCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009DFE0A

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c4b0f47233a3cd64524b469c9b2c14827ba03c201d9c73f1eb3fc3a68bb20b00
Instruction ID: afdc52267da504d1d524622add035220f5f5f37f058fa360406ec7cc4c85ea89
Opcode Fuzzy Hash: c4b0f47233a3cd64524b469c9b2c14827ba03c201d9c73f1eb3fc3a68bb20b00
Instruction Fuzzy Hash: 2A41B0B1D003099FDF14CFAAC895ADEFBB5BF48314F24812AE419AB251D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009D3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009D5421

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dbec9e872d73822cd9393ad52d999f091443e37b68e87310edc7ce608605f6c5
Instruction ID: f5ec44530c9b4b5904752cdfc8c9386bcc9b1aaadf741a9671659865fea6cdef
Opcode Fuzzy Hash: dbec9e872d73822cd9393ad52d999f091443e37b68e87310edc7ce608605f6c5
Instruction Fuzzy Hash: 07410471C04718CBDB24DFA9C884BDDBBB5BF88308F21846AD408BB261DBB55945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009D9868, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009D98D6

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f7bebc04bb75cf905ab3281d9b998e09ec771ad37fe3830f4a96c44eeddb1ca
Instruction ID: 6645bc065379a89dff2bd7a37068f8170a4716c02e190b03291c3f780af9b50e
Opcode Fuzzy Hash: 4f7bebc04bb75cf905ab3281d9b998e09ec771ad37fe3830f4a96c44eeddb1ca
Instruction Fuzzy Hash: A231D4B1D052058FCB10DFAAC4406EEBBF8EF88314F14C02AD805A7350D774A806CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D536F, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009D5421

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3a11df53a24a06e03181d78f114aea50f3e97fc8211d1c770df9838aeb248cd7
Instruction ID: c7b973b9767f56e26b65f6a7f40d02ea70730034547de1c8dcc92eb409dcfc4a
Opcode Fuzzy Hash: 3a11df53a24a06e03181d78f114aea50f3e97fc8211d1c770df9838aeb248cd7
Instruction Fuzzy Hash: 5C41F371C04618CFDB24DFA9C884BDDBBB5BF88308F25816AD408BB261DBB55946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067E68A8, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 067E6908

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fd4f95295af4ac34134fe0f202074e3b5f6fa8c7b0d3e7488f3c1d31e6dfe03d
Instruction ID: 6b0d681b147fd51f54568fff0676b16145d002c9c466d11b7701ff9a235a0534
Opcode Fuzzy Hash: fd4f95295af4ac34134fe0f202074e3b5f6fa8c7b0d3e7488f3c1d31e6dfe03d
Instruction Fuzzy Hash: 832145B1900249DFDB50CFA9D984BEEBBF0EF58324F148459D415AB251C738AA49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4CE1, Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 067E4D75

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 765b43fb0534c1dadae9e196511ced8aa80d8121c3082c164382863538f8b267
Instruction ID: 3f9eeeecc96d952da004ff60630e6f7985ddd48c4966d5cd8bffed59bc43fd1c
Opcode Fuzzy Hash: 765b43fb0534c1dadae9e196511ced8aa80d8121c3082c164382863538f8b267
Instruction Fuzzy Hash: D42125B5901249DFCB10CFAAC884BEEBBF4FB4C320F10842AE518A7650D374A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4CE8, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 067E4D75

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3900f3d5fb8e0b73ef8abf54e18ab98c794935952f9b720c94e7d902af91889f
Instruction ID: 1fffec2d5cc6044dbf92dea46ae23d09a5ab16433e74eec34e8335774de3fc60
Opcode Fuzzy Hash: 3900f3d5fb8e0b73ef8abf54e18ab98c794935952f9b720c94e7d902af91889f
Instruction Fuzzy Hash: B721E6B5900259DFCB50CF9AD885BEEBBF4FB4C314F10842AE518A7250D774A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009DB8B3, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009DB93F

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4b194de2c0e163bb8db44073eab8f7e3786d77d2521ca8e5825f87497aa5a518
Instruction ID: 2b594d607e98158f62aca668956d84269cc4d0bc6e1615948024387a5f561ae2
Opcode Fuzzy Hash: 4b194de2c0e163bb8db44073eab8f7e3786d77d2521ca8e5825f87497aa5a518
Instruction Fuzzy Hash: 2621E6B5900248DFDB10CF99D884BDEFBF8EB48324F14841AE914A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E1BC0, Relevance: 1.6, APIs: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 067E5725

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b97d76e3a6e75f7080b213eb649d43b26ffd080dd4e45e49a166a96c191a5d95
Instruction ID: d254f6e0fcf9698e49b0c6a679785255ebd7175ac81e15122fe4a7ade9c52165
Opcode Fuzzy Hash: b97d76e3a6e75f7080b213eb649d43b26ffd080dd4e45e49a166a96c191a5d95
Instruction Fuzzy Hash: 882179B18093889FDB11DF99D884BDABFF4EF09314F04849AD494A7651D3746948CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 009DB8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009DB93F

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 02f62218414dd3dfda5ebe38eef3ef6a7472e9884aa92d01b3bc00aa49395524
Instruction ID: 2fc44abbeda247fdd5b4a063dac76579840cf6d80de92edb2c110973b0c0b715
Opcode Fuzzy Hash: 02f62218414dd3dfda5ebe38eef3ef6a7472e9884aa92d01b3bc00aa49395524
Instruction Fuzzy Hash: FB21C4B5901259DFDB10CF9AD884BDEFBF8EB48324F14841AE914A7350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4B69, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 067E4BEF

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 02725fb21af85ae2aa3fd7a1e1ad289f7c879b52507525cc38f6399b8e80bd89
Instruction ID: 171239b1a4e44b60f8dc880e44a1309a2b1c1b8a50daa72b7e3c37c5b45269b9
Opcode Fuzzy Hash: 02725fb21af85ae2aa3fd7a1e1ad289f7c879b52507525cc38f6399b8e80bd89
Instruction Fuzzy Hash: A521E2B1905299DFCB10CF9AC884BDEFBF4BB48320F14842AE958A7650D378A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4AA9, Relevance: 1.6, APIs: 1, Instructions: 60threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 067E4B27

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 086ac533fab2c00667e33237fac09465c06bddde76fdbed95da19fef44a43855
Instruction ID: 99e25025e80cafad2f43e7ac39eb1a2e69a26d68c5fabf2e0e2e44cf59f6d475
Opcode Fuzzy Hash: 086ac533fab2c00667e33237fac09465c06bddde76fdbed95da19fef44a43855
Instruction Fuzzy Hash: 91213B71D10259DFDB40CFAAD885BEEFBF4BB48614F04812AD418A3640D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4B70, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 067E4BEF

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8c6d10193a1a0091e116af0a60419dc61d22b6cd9994e866ad72c60391e4cea9
Instruction ID: 795660623f8bba2857d1b48042744f29d4395e55d769dc3f16be4fea2bec328e
Opcode Fuzzy Hash: 8c6d10193a1a0091e116af0a60419dc61d22b6cd9994e866ad72c60391e4cea9
Instruction Fuzzy Hash: D521DEB1901259DFCB10CF9AD884BDEFBF4FB48324F10842AE918A7250D378A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4AB0, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 067E4B27

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0551f2e79acd1f4ca631d1b4783eabfe0073cf17e21be640f05d39ab7d4c9611
Instruction ID: b53d6eafb1b8f4b8d730b5893d279f9b80beb451a1be12df468255f47e12faf4
Opcode Fuzzy Hash: 0551f2e79acd1f4ca631d1b4783eabfe0073cf17e21be640f05d39ab7d4c9611
Instruction Fuzzy Hash: ED2114B1D00259DFCB40CF9AD885BEEFBF8BB48624F04812AD418B3640D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E6950, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 067E6908

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e6e433f0de5af07ae68519185e1a9440046f3c4ad132356aeb80b9515a0dacf9
Instruction ID: 8c849c6630de7ccaa272cffc76f18caf0c52481020eed0e89165c80e5e7422ed
Opcode Fuzzy Hash: e6e433f0de5af07ae68519185e1a9440046f3c4ad132356aeb80b9515a0dacf9
Instruction Fuzzy Hash: A0110A75404304CFCB80DFA4D804BEABBF5EF59354F11816AE1649B261C739D549CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9AF0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009D9951,00000800,00000000,00000000), ref: 009D9B62

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7ad1a9e23654858636dd77a3855951b200ca7542a695fb12b7709400908a051a
Instruction ID: 5bf66cbecfeaa7fd2a2455eab9de6a1e1ecc4220be49bf47e7a6b0b49ee7b6e0
Opcode Fuzzy Hash: 7ad1a9e23654858636dd77a3855951b200ca7542a695fb12b7709400908a051a
Instruction Fuzzy Hash: 921117B68403499FCB10DF9AD484BDEFBF8EB88724F10842AE415A7700C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009D9951,00000800,00000000,00000000), ref: 009D9B62

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fd03062efb5e415c4821df7ebf1ed3829095258afc8f3a56fed2bce6a4df1144
Instruction ID: 3ce1d4932ffd100c7597b2aa656710210adf217f841b294936b580d6b09d6fac
Opcode Fuzzy Hash: fd03062efb5e415c4821df7ebf1ed3829095258afc8f3a56fed2bce6a4df1144
Instruction Fuzzy Hash: 5B1117B69003499FCB10DF9AD444BDEFBF8EB48324F10842AD415A7700C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4C38, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 067E4CAB

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 640b0af6269d575d91a0dcdbefcc7373a054b2bbc5a32c81a8cc2c334cb79e07
Instruction ID: 0210c6e0d9845d85b9bb6aca7e1ae8d7bd02537c0c6ad0b1f2c3d9f1f2899ebe
Opcode Fuzzy Hash: 640b0af6269d575d91a0dcdbefcc7373a054b2bbc5a32c81a8cc2c334cb79e07
Instruction Fuzzy Hash: CE1134B2904249DFCB10CF9AD884BDEFFF4EB48324F10841AE568A7650C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4C40, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 067E4CAB

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e6d26865c9e77aaea337199775d00567dd948fecc2479c149f3223a138880e2e
Instruction ID: 85b3f5d44ca0349ce11badb27867ffa75952bc22e982338a19d2a738534b729c
Opcode Fuzzy Hash: e6d26865c9e77aaea337199775d00567dd948fecc2479c149f3223a138880e2e
Instruction Fuzzy Hash: 7011E0B6904249DFCB10CF9AD884BDEBBF8EB88324F108419E529A7650C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D9870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009D98D6

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 82e72eceb5754b73cff2630a3ea5331ab29587a3572403fd9cd8a7c6841e44c3
Instruction ID: 6334f1f8488db86a3cb98fa7117e33734c97fe0b980573e52161948d9165c675
Opcode Fuzzy Hash: 82e72eceb5754b73cff2630a3ea5331ab29587a3572403fd9cd8a7c6841e44c3
Instruction Fuzzy Hash: 9411DFB6C002498FDB10DF9AD444BDEFBF8EB89724F14842AD429A7700D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E56C0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 067E5725

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b5f7422b59034b86b40d06275aed5cb7b0361402d919cf9abf0f4c59f8984683
Instruction ID: 0112bf76383d35f35c2742633c39a4274370652484ebc9fe089991118d3f8e89
Opcode Fuzzy Hash: b5f7422b59034b86b40d06275aed5cb7b0361402d919cf9abf0f4c59f8984683
Instruction Fuzzy Hash: 9E1125B5804249DFDB10CF99C884BDEFFF4EB58324F10845AD494A7200C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E1BB0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 067E5725

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b5f59af1d5aa5f1a24f9864491b9c6e2dd6d61cd8529fd3a250e89ed86471125
Instruction ID: 360318e8a68bfc6ccab19cc833730b290378b7a7695f8e749dc7c530f297931a
Opcode Fuzzy Hash: b5f59af1d5aa5f1a24f9864491b9c6e2dd6d61cd8529fd3a250e89ed86471125
Instruction Fuzzy Hash: 281103B5800348DFDB50CF9AD885BEEFBF8EB58324F148419E514A7600D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009DFF38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 009DFF9D

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 21091ad53ca8c9507ed9012d407317172783b5e83c3357382f4a679e8a31c6d1
Instruction ID: 4fa726eadca04f2f0c069c0451423624e04cf4a96f046723de648b781afc8f76
Opcode Fuzzy Hash: 21091ad53ca8c9507ed9012d407317172783b5e83c3357382f4a679e8a31c6d1
Instruction Fuzzy Hash: 4C1115B59042499FDB10CF99D485BDEFFF8EB49324F10841AD865A7340C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4DB8, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 067E4E1F

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b47b0d41c7c4b5f4ae55bb0f335969c3c43232656d2e1f2b906de374b6c927a8
Instruction ID: b366d0c74a204a11983f4519324242007c90954ed6eb587579f2e0ff3765754b
Opcode Fuzzy Hash: b47b0d41c7c4b5f4ae55bb0f335969c3c43232656d2e1f2b906de374b6c927a8
Instruction Fuzzy Hash: 0A1130B1800249CFCB50CF9AD484BEEFBF4EB48324F10846AD429A7600C378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009DFF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 009DFF9D

Memory Dump Source

Source File: 0000000E.00000002.783922995.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 93bdb575b70d7cf17af340e0f41a35eceda36fad068a5c5a52c2a4fc4d4025a3
Instruction ID: 12e83e30787f0bed728b5346a6e00865a61fb8c12adc8cda0dc1e0dfe722d8cc
Opcode Fuzzy Hash: 93bdb575b70d7cf17af340e0f41a35eceda36fad068a5c5a52c2a4fc4d4025a3
Instruction Fuzzy Hash: BD11E2B58002499FDB10DF9AD585BDEFBF8EB48324F10841AE915A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E4DC0, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 067E4E1F

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b702fa2d3bd75c59db0fc6b66198f7b608cbb3fe8d735dc9d68cf1ff779b6cbb
Instruction ID: 57eeb01298a6b61db2670b9631519a69316c1057097bf08d29c08b22d9eb805e
Opcode Fuzzy Hash: b702fa2d3bd75c59db0fc6b66198f7b608cbb3fe8d735dc9d68cf1ff779b6cbb
Instruction Fuzzy Hash: 7D1123B1804249CFCB10CF9AD884BDEFBF8EB48324F10841AD518A7740C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E68E1, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 067E6908

Memory Dump Source

Source File: 0000000E.00000002.797877606.00000000067E0000.00000040.00000001.sdmp, Offset: 067E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8114a6dfca7dc05982f2cc2af34798c7bbad5d40faea1c5d187e0921cb681908
Instruction ID: 101a019a63088cd39d634b9dcde2af61fd6507eda67109bba337a5743919f5f5
Opcode Fuzzy Hash: 8114a6dfca7dc05982f2cc2af34798c7bbad5d40faea1c5d187e0921cb681908
Instruction Fuzzy Hash: 3AF049B6904209CFDB10CF99D4447EEBBF0EF98324F15842AD568A7751C738A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0093D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783587784.000000000093D000.00000040.00000001.sdmp, Offset: 0093D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76611a5a21d27f6b39fae30f78561b895eefe369b8ac1dd87abff69ec2277aa
Instruction ID: 40e4a90eaa4e8a16c1af79b71eab7ec013e07cffad5252267350fdd4dd26a322
Opcode Fuzzy Hash: f76611a5a21d27f6b39fae30f78561b895eefe369b8ac1dd87abff69ec2277aa
Instruction Fuzzy Hash: C72137B1605240EFDF05DF14E8D0B26BF65FB88328F24C569E8050B24AC33AD856CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0094D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783655001.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86f85c6128b66d8b18339681b00130b9935f5feb97d7fa9943212f4aed024e1
Instruction ID: a934b5d3ed295f05a1e85d4511dc76d1a35ceda7c1dcdba49826e3d1ab9e391a
Opcode Fuzzy Hash: b86f85c6128b66d8b18339681b00130b9935f5feb97d7fa9943212f4aed024e1
Instruction Fuzzy Hash: 3D213B79604240EFDB05CF10D9C0F26BBA5FB88318F24CA6DE8094B346C7BAD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0094D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783655001.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad38b8ab8d28279886e04cdc83f2e2596bb04202ce42a4be5eb74bb0db9a8e4c
Instruction ID: 2ce001230684239a316605c154d57506ee7d810513bd932ae08cc262a53e8e22
Opcode Fuzzy Hash: ad38b8ab8d28279886e04cdc83f2e2596bb04202ce42a4be5eb74bb0db9a8e4c
Instruction Fuzzy Hash: CE21F279608240EFDB14CF14D8C4F26BB65FB88714F24C9A9D80A4B346C77AD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0094D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783655001.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6de1c8f88b8d2bd68ebd50838c8c0f3a0d2185d5732321aa8ca6c4519851a39
Instruction ID: 077de408f2538807dc4fb3ce126864d87e2c2736281044a4710025f6fed49b34
Opcode Fuzzy Hash: e6de1c8f88b8d2bd68ebd50838c8c0f3a0d2185d5732321aa8ca6c4519851a39
Instruction Fuzzy Hash: 0C214C755093C08FCB12CF24D994B15BF71AB46214F28C5EAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0093D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783587784.000000000093D000.00000040.00000001.sdmp, Offset: 0093D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction ID: 40f88fac74ed962b321abf97020273ed3d300814dba60752818faeecc4b553a9
Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
Instruction Fuzzy Hash: 5011B176505280CFCB12CF10D5D4B16BF71FB94324F24C6A9E8454B61AC33AD956CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0094D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783655001.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction ID: a3449760c785a010e6aa05a051e77914416833240177a733921d2c3cc0ddae26
Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
Instruction Fuzzy Hash: DE119A79904280DFDB12CF10D5C4B15FBB1FB84324F28C6AED8494B656C37AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0093D781, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783587784.000000000093D000.00000040.00000001.sdmp, Offset: 0093D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25a01532019a122eeec4406344fd594418e3458ced546d202bd49d0774076e8
Instruction ID: 193293da7c4f1d0ef8d19c8cbea4f50cd0ea01f6edd63e1658cff4eb5c6fb9ae
Opcode Fuzzy Hash: a25a01532019a122eeec4406344fd594418e3458ced546d202bd49d0774076e8
Instruction Fuzzy Hash: A1012BB1409380AAE7204E16ECD0766FBDCEF45734F18885AED061B642C7789C44CEB1

Uniqueness

Uniqueness Score: -1.00%

Function 0093D780, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.783587784.000000000093D000.00000040.00000001.sdmp, Offset: 0093D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e863cd0440ca5dc5a150f94e931144854a8dca6999b8dc5009d4bc22f8da85f1
Instruction ID: 716d4f3e70e8a995a224296f7c4586aa38733083aa0aa726a6b66db12a2e1512
Opcode Fuzzy Hash: e863cd0440ca5dc5a150f94e931144854a8dca6999b8dc5009d4bc22f8da85f1
Instruction Fuzzy Hash: 5DF062B14092849BEB208E16DCD4B62FBACEB51774F18C45AED095B686C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre