Loading ...

Play interactive tourEdit tour

Analysis Report payment details.exe

Overview

General Information

Sample Name:payment details.exe
Analysis ID:383908
MD5:55191839573ac8fd25655b3561286bc1
SHA1:b9e85e2ab05e4b027a3f522fd690b097aa4a4aad
SHA256:e81d917830f3fabca0557b899267ebe84ecc6fcbb5e1cd649284d1370d8a8876
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • payment details.exe (PID: 7008 cmdline: 'C:\Users\user\Desktop\payment details.exe' MD5: 55191839573AC8FD25655B3561286BC1)
  • kprUEGC.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 55191839573AC8FD25655B3561286BC1)
    • kprUEGC.exe (PID: 6932 cmdline: {path} MD5: 55191839573AC8FD25655B3561286BC1)
  • kprUEGC.exe (PID: 7132 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 55191839573AC8FD25655B3561286BC1)
    • kprUEGC.exe (PID: 816 cmdline: {path} MD5: 55191839573AC8FD25655B3561286BC1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ho@almasroor.com042264528mail.almasroor.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.payment details.exe.3e052e8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              15.2.kprUEGC.exe.39952e8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.payment details.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  16.2.kprUEGC.exe.3db52e8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.payment details.exe.3e052e8.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.payment details.exe.3e052e8.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ho@almasroor.com042264528mail.almasroor.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: payment details.exeVirustotal: Detection: 31%Perma Link
                      Source: payment details.exeReversingLabs: Detection: 33%
                      Source: 5.2.payment details.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 19.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: payment details.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: payment details.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 69.65.3.206:587
                      Source: global trafficTCP traffic: 192.168.2.4:49764 -> 69.65.3.206:587
                      Source: Joe Sandbox ViewASN Name: ASN-GIGENETUS ASN-GIGENETUS
                      Source: global trafficTCP traffic: 192.168.2.4:49764 -> 69.65.3.206:587
                      Source: unknownDNS traffic detected: queries for: mail.almasroor.com
                      Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: payment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmpString found in binary or memory: http://almasroor.com
                      Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://bQxorv.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: payment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmpString found in binary or memory: http://mail.almasroor.com
                      Source: payment details.exe, 00000005.00000002.923358633.0000000002CD9000.00000004.00000001.sdmpString found in binary or memory: http://uDoQcdZGpyqzP0ZwyV.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: kprUEGC.exe, payment details.exeString found in binary or memory: https://github.com/michel-pi/EasyBot.Net
                      Source: payment details.exe, 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\payment details.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\payment details.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.payment details.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE39C872Eu002d8914u002d48C3u002dBF35u002dA8B0A9168404u007d/u00311446D9Eu002dE05Fu002d4878u002dAF9Eu002d244D020F16BC.csLarge array initialization: .cctor: array initializer size 11951
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: payment details.exe
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CC2040_2_010CC204
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CE6230_2_010CE623
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CE6300_2_010CE630
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A20680_2_012A2068
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A00400_2_012A0040
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A57200_2_012A5720
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A59D00_2_012A59D0
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A00060_2_012A0006
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A20590_2_012A2059
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A42790_2_012A4279
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A42880_2_012A4288
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A25480_2_012A2548
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A54200_2_012A5420
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A54120_2_012A5412
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A17160_2_012A1716
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A57160_2_012A5716
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A17600_2_012A1760
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A29F80_2_012A29F8
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A59CA0_2_012A59CA
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2A080_2_012A2A08
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2FF80_2_012A2FF8
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2FC50_2_012A2FC5
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 5_2_00E047A05_2_00E047A0
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 5_2_00E047905_2_00E04790
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_00CFC20415_2_00CFC204
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_00CFE62015_2_00CFE620
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_00CFE63015_2_00CFE630
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261206815_2_02612068
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261004015_2_02610040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261572015_2_02615720
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026159D015_2_026159D0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261428215_2_02614282
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261428515_2_02614285
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261428815_2_02614288
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261205915_2_02612059
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261002815_2_02610028
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261000615_2_02610006
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261176015_2_02611760
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261276015_2_02612760
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261276815_2_02612768
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261175B15_2_0261175B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261571015_2_02615710
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261571615_2_02615716
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261571815_2_02615718
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261571C15_2_0261571C
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261542015_2_02615420
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261541215_2_02615412
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261541815_2_02615418
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261254815_2_02612548
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612A0815_2_02612A08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026129F815_2_026129F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026159CA15_2_026159CA
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026159CC15_2_026159CC
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612FF815_2_02612FF8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612FC515_2_02612FC5
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_04DDD99015_2_04DDD990
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_0100C20416_2_0100C204
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_0100E62016_2_0100E620
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_0100E63016_2_0100E630
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8206816_2_02B82068
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8004016_2_02B80040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B859D016_2_02B859D0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8428816_2_02B84288
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8427916_2_02B84279
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8000616_2_02B80006
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8205916_2_02B82059
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8176016_2_02B81760
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8175D16_2_02B8175D
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8542016_2_02B85420
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8541216_2_02B85412
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8254816_2_02B82548
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82A0816_2_02B82A08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B829F816_2_02B829F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B859CA16_2_02B859CA
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82FF816_2_02B82FF8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82FC516_2_02B82FC5
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D89CE016_2_06D89CE0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8B4B016_2_06D8B4B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8C44016_2_06D8C440
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8ADB016_2_06D8ADB0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8BA7016_2_06D8BA70
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D83A3016_2_06D83A30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D84B7816_2_06D84B78
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D87B1316_2_06D87B13
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8D30016_2_06D8D300
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D890B016_2_06D890B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8497816_2_06D84978
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F6F016_2_06D8F6F0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F6E116_2_06D8F6E1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F4C816_2_06D8F4C8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F4B916_2_06D8F4B9
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8B4A016_2_06D8B4A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8C43016_2_06D8C430
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8AD5716_2_06D8AD57
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F2D216_2_06D8F2D2
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F2E016_2_06D8F2E0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8D2E716_2_06D8D2E7
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8BA6016_2_06D8BA60
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8BA2216_2_06D8BA22
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8886816_2_06D88868
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D891C816_2_06D891C8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8A18016_2_06D8A180
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8E15016_2_06D8E150
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8A17016_2_06D8A170
                      Source: payment details.exeBinary or memory string: OriginalFilename vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.698248951.0000000007C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.698248951.0000000007C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameelxZSujHMHuHJxbAMwLHIgWJxBXR.exe4 vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.690812300.0000000002C51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.697919901.00000000077D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs payment details.exe
                      Source: payment details.exeBinary or memory string: OriginalFilename vs payment details.exe
                      Source: payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameelxZSujHMHuHJxbAMwLHIgWJxBXR.exe4 vs payment details.exe
                      Source: payment details.exe, 00000005.00000003.898574525.0000000000E9D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payment details.exe
                      Source: payment details.exe, 00000005.00000002.917609197.0000000000C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs payment details.exe
                      Source: payment details.exeBinary or memory string: OriginalFilename vs payment details.exe
                      Source: payment details.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: payment details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.payment details.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.payment details.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/6@2/1
                      Source: C:\Users\user\Desktop\payment details.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment details.exe.logJump to behavior
                      Source: payment details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\payment details.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: payment details.exeVirustotal: Detection: 31%
                      Source: payment details.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Users\user\Desktop\payment details.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\payment details.exe 'C:\Users\user\Desktop\payment details.exe'
                      Source: C:\Users\user\Desktop\payment details.exeProcess created: C:\Users\user\Desktop\payment details.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\payment details.exeProcess created: C:\Users\user\Desktop\payment details.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: payment details.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: payment details.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: payment details.exe, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 0.2.payment details.exe.800000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 0.0.payment details.exe.800000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: kprUEGC.exe.5.dr, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 5.2.payment details.exe.620000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 5.0.payment details.exe.620000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 15.0.kprUEGC.exe.3c0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 15.2.kprUEGC.exe.3c0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 16.2.kprUEGC.exe.7f0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 16.0.kprUEGC.exe.7f0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 18.2.kprUEGC.exe.c40000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4120 push ecx; ret 0_2_010C4122
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C41E3 push esp; ret 0_2_010C41EA
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C40C0 push ecx; ret 0_2_010C40C2
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C40C3 push ecx; ret 0_2_010C40CA
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4219 push ebp; ret 0_2_010C421A
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C42D0 push edi; ret 0_2_010C42D2
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C42D3 push edi; ret 0_2_010C42D6
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C444B push edi; ret 0_2_010C4452
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4442 push edi; ret 0_2_010C444A
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4490 push edi; ret 0_2_010C4492
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4493 push edi; ret 0_2_010C449A
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB18F pushfd ; ret 0_2_010CB19A
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB1F1 pushfd ; ret 0_2_010CB1F2
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB1F3 pushfd ; ret 0_2_010CB1FA
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB30F pushfd ; ret 0_2_010CB312
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB313 pushfd ; ret 0_2_010CB31A
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB3C8 pushfd ; ret 0_2_010CB3CA
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB250 pushfd ; ret 0_2_010CB252
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A4668 pushfd ; ret 0_2_012A4669
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012AA6E5 push FFFFFF8Bh; iretd 0_2_012AA6E7
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02614668 pushfd ; ret 15_2_02614669
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261A6DA push dword ptr [edx+ebp*2-75h]; iretd 15_2_0261A6E7
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_04DD1E80 push eax; mov dword ptr [esp], ecx15_2_04DD1E84
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_04DD1E6F push eax; mov dword ptr [esp], ecx15_2_04DD1E84
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8A6E5 push FFFFFF8Bh; iretd 16_2_02B8A6E7
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B84668 pushfd ; ret 16_2_02B84669
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8AD17 push es; retf 16_2_06D8AD54
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8D25B push edx; retf 16_2_06D8D265
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89257156143
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89257156143
                      Source: C:\Users\user\Desktop\payment details.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Users\user\Desktop\payment details.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX