Loading ...

Play interactive tourEdit tour

Analysis Report payment details.exe

Overview

General Information

Sample Name:payment details.exe
Analysis ID:383908
MD5:55191839573ac8fd25655b3561286bc1
SHA1:b9e85e2ab05e4b027a3f522fd690b097aa4a4aad
SHA256:e81d917830f3fabca0557b899267ebe84ecc6fcbb5e1cd649284d1370d8a8876
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • payment details.exe (PID: 7008 cmdline: 'C:\Users\user\Desktop\payment details.exe' MD5: 55191839573AC8FD25655B3561286BC1)
  • kprUEGC.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 55191839573AC8FD25655B3561286BC1)
    • kprUEGC.exe (PID: 6932 cmdline: {path} MD5: 55191839573AC8FD25655B3561286BC1)
  • kprUEGC.exe (PID: 7132 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 55191839573AC8FD25655B3561286BC1)
    • kprUEGC.exe (PID: 816 cmdline: {path} MD5: 55191839573AC8FD25655B3561286BC1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ho@almasroor.com042264528mail.almasroor.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.payment details.exe.3e052e8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              15.2.kprUEGC.exe.39952e8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.payment details.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  16.2.kprUEGC.exe.3db52e8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.payment details.exe.3e052e8.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.payment details.exe.3e052e8.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ho@almasroor.com042264528mail.almasroor.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: payment details.exeVirustotal: Detection: 31%Perma Link
                      Source: payment details.exeReversingLabs: Detection: 33%
                      Source: 5.2.payment details.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 19.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: payment details.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: payment details.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 69.65.3.206:587
                      Source: global trafficTCP traffic: 192.168.2.4:49764 -> 69.65.3.206:587
                      Source: Joe Sandbox ViewASN Name: ASN-GIGENETUS ASN-GIGENETUS
                      Source: global trafficTCP traffic: 192.168.2.4:49764 -> 69.65.3.206:587
                      Source: unknownDNS traffic detected: queries for: mail.almasroor.com
                      Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: payment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmpString found in binary or memory: http://almasroor.com
                      Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://bQxorv.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: payment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmpString found in binary or memory: http://mail.almasroor.com
                      Source: payment details.exe, 00000005.00000002.923358633.0000000002CD9000.00000004.00000001.sdmpString found in binary or memory: http://uDoQcdZGpyqzP0ZwyV.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: kprUEGC.exe, payment details.exeString found in binary or memory: https://github.com/michel-pi/EasyBot.Net
                      Source: payment details.exe, 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\payment details.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\payment details.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.payment details.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE39C872Eu002d8914u002d48C3u002dBF35u002dA8B0A9168404u007d/u00311446D9Eu002dE05Fu002d4878u002dAF9Eu002d244D020F16BC.csLarge array initialization: .cctor: array initializer size 11951
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: payment details.exe
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CC204
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CE623
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CE630
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2068
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A0040
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A5720
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A59D0
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A0006
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2059
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A4279
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A4288
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2548
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A5420
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A5412
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A1716
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A5716
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A1760
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A29F8
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A59CA
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2A08
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2FF8
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A2FC5
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 5_2_00E047A0
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 5_2_00E04790
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_00CFC204
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_00CFE620
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_00CFE630
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612068
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02610040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615720
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026159D0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02614282
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02614285
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02614288
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612059
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02610028
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02610006
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02611760
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612760
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612768
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261175B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615710
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615716
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615718
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261571C
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615420
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615412
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02615418
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612548
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612A08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026129F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026159CA
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_026159CC
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612FF8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02612FC5
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_04DDD990
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_0100C204
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_0100E620
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_0100E630
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82068
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B80040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B859D0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B84288
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B84279
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B80006
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82059
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B81760
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8175D
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B85420
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B85412
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82548
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82A08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B829F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B859CA
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82FF8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B82FC5
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D89CE0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8B4B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8C440
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8ADB0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8BA70
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D83A30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D84B78
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D87B13
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8D300
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D890B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D84978
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F6F0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F6E1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F4C8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F4B9
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8B4A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8C430
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8AD57
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F2D2
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8F2E0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8D2E7
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8BA60
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8BA22
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D88868
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D891C8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8A180
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8E150
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8A170
                      Source: payment details.exeBinary or memory string: OriginalFilename vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.698248951.0000000007C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.698248951.0000000007C21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameelxZSujHMHuHJxbAMwLHIgWJxBXR.exe4 vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.690812300.0000000002C51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs payment details.exe
                      Source: payment details.exe, 00000000.00000002.697919901.00000000077D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs payment details.exe
                      Source: payment details.exeBinary or memory string: OriginalFilename vs payment details.exe
                      Source: payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameelxZSujHMHuHJxbAMwLHIgWJxBXR.exe4 vs payment details.exe
                      Source: payment details.exe, 00000005.00000003.898574525.0000000000E9D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payment details.exe
                      Source: payment details.exe, 00000005.00000002.917609197.0000000000C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs payment details.exe
                      Source: payment details.exeBinary or memory string: OriginalFilename vs payment details.exe
                      Source: payment details.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: payment details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.payment details.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.payment details.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/6@2/1
                      Source: C:\Users\user\Desktop\payment details.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment details.exe.logJump to behavior
                      Source: payment details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\payment details.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\payment details.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: payment details.exeVirustotal: Detection: 31%
                      Source: payment details.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\payment details.exeFile read: C:\Users\user\Desktop\payment details.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\payment details.exe 'C:\Users\user\Desktop\payment details.exe'
                      Source: C:\Users\user\Desktop\payment details.exeProcess created: C:\Users\user\Desktop\payment details.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\payment details.exeProcess created: C:\Users\user\Desktop\payment details.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\payment details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: payment details.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: payment details.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: payment details.exe, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 0.2.payment details.exe.800000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 0.0.payment details.exe.800000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: kprUEGC.exe.5.dr, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 5.2.payment details.exe.620000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 5.0.payment details.exe.620000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 15.0.kprUEGC.exe.3c0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 15.2.kprUEGC.exe.3c0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 16.2.kprUEGC.exe.7f0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 16.0.kprUEGC.exe.7f0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 18.2.kprUEGC.exe.c40000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4120 push ecx; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C41E3 push esp; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C40C0 push ecx; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C40C3 push ecx; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4219 push ebp; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C42D0 push edi; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C42D3 push edi; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C444B push edi; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4442 push edi; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4490 push edi; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010C4493 push edi; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB18F pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB1F1 pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB1F3 pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB30F pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB313 pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB3C8 pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_010CB250 pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012A4668 pushfd ; ret
                      Source: C:\Users\user\Desktop\payment details.exeCode function: 0_2_012AA6E5 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_02614668 pushfd ; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0261A6DA push dword ptr [edx+ebp*2-75h]; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_04DD1E80 push eax; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_04DD1E6F push eax; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B8A6E5 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02B84668 pushfd ; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8AD17 push es; retf
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_06D8D25B push edx; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89257156143
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89257156143
                      Source: C:\Users\user\Desktop\payment details.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Users\user\Desktop\payment details.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\payment details.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment details.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: payment details.exe PID: 7008, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7132, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: payment details.exe, 00000000.00000002.699002431.0000000007F0C000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.809737744.00000000074CC000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: payment details.exe, 00000000.00000002.699002431.0000000007F0C000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.809737744.00000000074CC000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\payment details.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\payment details.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\payment details.exeWindow / User API: threadDelayed 3012
                      Source: C:\Users\user\Desktop\payment details.exeWindow / User API: threadDelayed 6814
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 1107
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 8741
                      Source: C:\Users\user\Desktop\payment details.exe TID: 7012Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\Desktop\payment details.exe TID: 7028Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\payment details.exe TID: 6712Thread sleep count: 32 > 30
                      Source: C:\Users\user\Desktop\payment details.exe TID: 6712Thread sleep time: -29514790517935264s >= -30000s
                      Source: C:\Users\user\Desktop\payment details.exe TID: 6784Thread sleep count: 3012 > 30
                      Source: C:\Users\user\Desktop\payment details.exe TID: 6784Thread sleep count: 6814 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6688Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6716Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7128Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6760Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5508Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5396Thread sleep count: 201 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5396Thread sleep count: 197 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1284Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1868Thread sleep count: 1107 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1868Thread sleep count: 8741 > 30
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\payment details.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\payment details.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\Desktop\payment details.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\payment details.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: payment details.exe, 00000005.00000002.927992446.00000000062B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\payment details.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\payment details.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\payment details.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      .NET source code references suspicious native API functionsShow sources
                      Source: payment details.exe, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 0.2.payment details.exe.800000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 0.0.payment details.exe.800000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: kprUEGC.exe.5.dr, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 5.2.payment details.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                      Source: 5.2.payment details.exe.620000.1.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 5.0.payment details.exe.620000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 15.0.kprUEGC.exe.3c0000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 15.2.kprUEGC.exe.3c0000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 16.2.kprUEGC.exe.7f0000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 16.0.kprUEGC.exe.7f0000.0.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Source: 18.2.kprUEGC.exe.c40000.1.unpack, ImageManager/PInvoke/WinApi.csReference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\payment details.exeMemory written: C:\Users\user\Desktop\payment details.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMemory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMemory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\payment details.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment details.exeProcess created: C:\Users\user\Desktop\payment details.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Users\user\Desktop\payment details.exe VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Users\user\Desktop\payment details.exe VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\payment details.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 816, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment details.exe PID: 7008, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6932, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7132, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment details.exe PID: 1320, type: MEMORY
                      Source: Yara matchFile source: 0.2.payment details.exe.3e052e8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.39952e8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.payment details.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kprUEGC.exe.3db52e8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment details.exe.3e052e8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.39952e8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kprUEGC.exe.3db52e8.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\payment details.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\payment details.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 816, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6932, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment details.exe PID: 1320, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 816, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment details.exe PID: 7008, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6932, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7132, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment details.exe PID: 1320, type: MEMORY
                      Source: Yara matchFile source: 0.2.payment details.exe.3e052e8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.39952e8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.payment details.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kprUEGC.exe.3db52e8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment details.exe.3e052e8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.39952e8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.kprUEGC.exe.3db52e8.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 383908 Sample: payment details.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 9 other signatures 2->49 6 payment details.exe 3 2->6         started        10 kprUEGC.exe 3 2->10         started        12 kprUEGC.exe 2 2->12         started        process3 file4 23 C:\Users\user\...\payment details.exe.log, ASCII 6->23 dropped 51 Injects a PE file into a foreign processes 6->51 14 payment details.exe 2 5 6->14         started        53 Multi AV Scanner detection for dropped file 10->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->57 19 kprUEGC.exe 2 10->19         started        21 kprUEGC.exe 2 12->21         started        signatures5 process6 dnsIp7 31 almasroor.com 69.65.3.206, 49764, 587 ASN-GIGENETUS United States 14->31 33 mail.almasroor.com 14->33 25 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->25 dropped 27 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 3 other signatures 14->41 29 C:\Windows\System32\drivers\etc\hosts, ASCII 21->29 dropped file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      payment details.exe32%VirustotalBrowse
                      payment details.exe33%ReversingLabsWin32.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe33%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.payment details.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      18.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      19.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      almasroor.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://bQxorv.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://almasroor.com0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://mail.almasroor.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://uDoQcdZGpyqzP0ZwyV.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      almasroor.com
                      69.65.3.206
                      truetrueunknown
                      mail.almasroor.com
                      unknown
                      unknowntrue
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://www.apache.org/licenses/LICENSE-2.0payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                          high
                          http://www.fontbureau.compayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designersGpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                              high
                              http://DynDns.comDynDNSkprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/?payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                high
                                http://www.founder.com.cn/cn/bThepayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hapayment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://github.com/michel-pi/EasyBot.NetkprUEGC.exe, payment details.exefalse
                                  high
                                  http://www.fontbureau.com/designers?payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.tiro.comkprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://bQxorv.comkprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.fontbureau.com/designerskprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.goodfont.co.krpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://api.ipify.org%$payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.carterandcone.comlpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sajatypeworks.compayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://almasroor.compayment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.typography.netDpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.founder.com.cn/cn/cThepayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://fontfabrik.compayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cnpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.jiyu-kobo.co.jp/payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.galapagosdesign.com/DPleasepayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers8payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                            high
                                            https://api.ipify.org%GETMozilla/5.0kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            low
                                            http://www.fonts.compayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.sandoll.co.krpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.urwpp.deDPleasepayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.zhongyicts.com.cnpayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sakkal.compayment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://mail.almasroor.compayment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zippayment details.exe, 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://uDoQcdZGpyqzP0ZwyV.compayment details.exe, 00000005.00000002.923358633.0000000002CD9000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              69.65.3.206
                                              almasroor.comUnited States
                                              32181ASN-GIGENETUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:383908
                                              Start date:08.04.2021
                                              Start time:12:11:20
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 12m 49s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:payment details.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:23
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.adwa.spyw.evad.winEXE@9/6@2/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 0% (good quality ratio 0%)
                                              • Quality average: 51%
                                              • Quality standard deviation: 0%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.54.113.53, 52.147.198.201, 104.43.139.144, 13.88.21.125, 13.64.90.137, 20.82.210.154, 23.10.249.26, 23.10.249.43, 23.0.174.185, 23.0.174.200, 52.155.217.156, 20.54.26.129, 20.82.209.183
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              12:12:20API Interceptor630x Sleep call for process: payment details.exe modified
                                              12:12:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              12:13:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              12:13:10API Interceptor289x Sleep call for process: kprUEGC.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              ASN-GIGENETUSAWB-9899691012.exeGet hashmaliciousBrowse
                                              • 45.85.90.220
                                              swift_76567643.exeGet hashmaliciousBrowse
                                              • 70.32.1.32
                                              BillOfLading.exeGet hashmaliciousBrowse
                                              • 45.85.90.220
                                              OPEN01929291000_2021-03-15_07-28.exeGet hashmaliciousBrowse
                                              • 45.85.90.188
                                              INV242-0303.docGet hashmaliciousBrowse
                                              • 45.85.90.197
                                              dwg.exeGet hashmaliciousBrowse
                                              • 45.85.90.226
                                              a55ddff55740467df8dee39a5bbaee32.exeGet hashmaliciousBrowse
                                              • 45.85.90.138
                                              116e4c42d3948c91eafdcb60a9f37014.exeGet hashmaliciousBrowse
                                              • 45.85.90.138
                                              771eb3ef5ede516d6ec53ae40b3f888f.exeGet hashmaliciousBrowse
                                              • 45.85.90.138
                                              Paid Invoice _confirmation_9336639_03993736553.exeGet hashmaliciousBrowse
                                              • 216.38.7.225
                                              YCVj3q7r5e.exeGet hashmaliciousBrowse
                                              • 70.32.1.32
                                              VOR001 - McMurray Statements December 2020_87373535737522772662626.exeGet hashmaliciousBrowse
                                              • 216.38.7.225
                                              Customer_Receivables_Aging_20210112_2663535345242424242.exeGet hashmaliciousBrowse
                                              • 216.38.7.225
                                              Proforma fatura.exeGet hashmaliciousBrowse
                                              • 216.38.2.215
                                              Invoice.exeGet hashmaliciousBrowse
                                              • 216.38.2.215
                                              Purchase Order-34002174,pdf.exeGet hashmaliciousBrowse
                                              • 216.38.7.231
                                              IT3(b) certificate_846392852289725282735792726639.exeGet hashmaliciousBrowse
                                              • 216.38.7.225
                                              Customer Remittance Advice 9876627262822662.exeGet hashmaliciousBrowse
                                              • 216.38.7.225
                                              newbinx.exeGet hashmaliciousBrowse
                                              • 216.38.2.206
                                              Purchase New Order_101520,pdf.exeGet hashmaliciousBrowse
                                              • 216.38.7.231

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
                                              Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment details.exe.log
                                              Process:C:\Users\user\Desktop\payment details.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                              C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              Process:C:\Users\user\Desktop\payment details.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):729600
                                              Entropy (8bit):7.8860851483500385
                                              Encrypted:false
                                              SSDEEP:12288:wfBr6Pu2iNXNKJSjlVQp9Tjj7pqA8C8veXh+R7QrRLqQsm2T8TJjHEM0Eyxf3:+ruu1lNhK9Tn7YESQK0rR6f8TJuV3
                                              MD5:55191839573AC8FD25655B3561286BC1
                                              SHA1:B9E85E2AB05E4B027A3F522FD690B097AA4A4AAD
                                              SHA-256:E81D917830F3FABCA0557B899267EBE84ECC6FCBB5E1CD649284D1370D8A8876
                                              SHA-512:3488AB665AEDFEC80B744E403C8A0772097608C679E62B4CCE77103B2B3EFDAD262E41CDA0F579533C4D8C061AACF9963A61AB90053FBDF58F70F67685A69C84
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 33%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WZn`..............0..............6... ...@....@.. ....................................@..................................5..O....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................5......H...........h...........lZ..X...........................................^..}.....(.......(.....*..*..0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s ...}.....s!...}.....s"...}.....{....o#.....{....o$.....(#.....{.....o%.....{....o&...."...Bs'...o(...&.{....o&...."...Bs'...o(...&.{....o)....{......o*.....{....o)....{......o*.....{....o)....{......o*.....{....o)....{......o*.....{....o
                                              C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier
                                              Process:C:\Users\user\Desktop\payment details.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: [ZoneTransfer]....ZoneId=0
                                              C:\Windows\System32\drivers\etc\hosts
                                              Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):11
                                              Entropy (8bit):2.663532754804255
                                              Encrypted:false
                                              SSDEEP:3:iLE:iLE
                                              MD5:B24D295C1F84ECBFB566103374FB91C5
                                              SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                              SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                              SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview: ..127.0.0.1

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.8860851483500385
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:payment details.exe
                                              File size:729600
                                              MD5:55191839573ac8fd25655b3561286bc1
                                              SHA1:b9e85e2ab05e4b027a3f522fd690b097aa4a4aad
                                              SHA256:e81d917830f3fabca0557b899267ebe84ecc6fcbb5e1cd649284d1370d8a8876
                                              SHA512:3488ab665aedfec80b744e403c8a0772097608c679e62b4cce77103b2b3efdad262e41cda0f579533c4d8c061aacf9963a61ab90053fbdf58f70f67685a69c84
                                              SSDEEP:12288:wfBr6Pu2iNXNKJSjlVQp9Tjj7pqA8C8veXh+R7QrRLqQsm2T8TJjHEM0Eyxf3:+ruu1lNhK9Tn7YESQK0rR6f8TJuV3
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WZn`..............0..............6... ...@....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b3616
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x606E5A57 [Thu Apr 8 01:20:23 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              mov dword ptr [eax+4Eh], edx
                                              inc edi
                                              or eax, 000A1A0Ah
                                              add byte ptr [eax], al
                                              add byte ptr [ecx+45h], cl
                                              dec esi
                                              inc esp
                                              scasb
                                              inc edx
                                              pushad
                                              add byte ptr [eax], 00000000h
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb35c40x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x5bc.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xb16340xb1800False0.90361328125data7.89257156143IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb40000x5bc0x600False0.430338541667data4.18044919538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0xb40900x32cdata
                                              RT_MANIFEST0xb43cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2018 - 2021
                                              Assembly Version3.1.0.5
                                              InternalNameE7.exe
                                              FileVersion3.1.0.5
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNameImage Manager
                                              ProductVersion3.1.0.5
                                              FileDescriptionImage Manager
                                              OriginalFilenameE7.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/08/21-12:13:03.957380ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                              04/08/21-12:14:14.478900TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49764587192.168.2.469.65.3.206

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 8, 2021 12:14:13.416610003 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:13.529042006 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:13.529160023 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:13.782218933 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:13.783303976 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:13.896219969 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:13.897735119 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.012175083 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.012785912 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.135514021 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.136495113 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.248852015 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.249553919 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.362612963 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.363524914 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.475619078 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.475667953 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.478899956 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.479218006 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.479986906 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.480148077 CEST49764587192.168.2.469.65.3.206
                                              Apr 8, 2021 12:14:14.591240883 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:14.591269016 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:15.217732906 CEST5874976469.65.3.206192.168.2.4
                                              Apr 8, 2021 12:14:15.270230055 CEST49764587192.168.2.469.65.3.206

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 8, 2021 12:12:03.064060926 CEST6529853192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:03.077512980 CEST53652988.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:03.845468998 CEST5912353192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:03.858165026 CEST53591238.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:04.593974113 CEST5453153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:04.606405020 CEST53545318.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:05.538863897 CEST4971453192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:05.558337927 CEST53497148.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:05.890345097 CEST5802853192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:05.903453112 CEST53580288.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:06.565275908 CEST5309753192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:06.578464985 CEST53530978.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:07.659887075 CEST4925753192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:07.673106909 CEST53492578.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:08.621151924 CEST6238953192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:08.633485079 CEST53623898.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:09.517817974 CEST4991053192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:09.530227900 CEST53499108.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:10.398554087 CEST5585453192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:10.411314964 CEST53558548.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:11.768969059 CEST6454953192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:11.781416893 CEST53645498.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:29.372864962 CEST6315353192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:29.385481119 CEST53631538.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:30.782634020 CEST5299153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:30.798058033 CEST53529918.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:31.834743023 CEST5370053192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:31.846843004 CEST53537008.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:32.547606945 CEST5172653192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:32.561222076 CEST53517268.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:33.321407080 CEST5679453192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:33.334260941 CEST53567948.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:34.282865047 CEST5653453192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:34.296099901 CEST53565348.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:35.276427031 CEST5662753192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:35.289624929 CEST53566278.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:37.214466095 CEST5662153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:37.227308035 CEST53566218.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:40.079788923 CEST6311653192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:40.092431068 CEST53631168.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:45.115417957 CEST6407853192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:45.135452986 CEST53640788.8.8.8192.168.2.4
                                              Apr 8, 2021 12:12:56.673142910 CEST6480153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:12:56.691920042 CEST53648018.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:01.490715027 CEST6172153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:01.625912905 CEST53617218.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:02.216861963 CEST5125553192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:02.229913950 CEST53512558.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:02.821137905 CEST6152253192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:03.873179913 CEST6152253192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:03.886499882 CEST53615228.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:03.957209110 CEST53615228.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:04.867223978 CEST5233753192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:04.880508900 CEST53523378.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:06.228488922 CEST5504653192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:06.326831102 CEST53550468.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:06.883766890 CEST4961253192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:06.896733046 CEST53496128.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:07.279181004 CEST4928553192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:07.292699099 CEST53492858.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:07.457143068 CEST5060153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:07.470500946 CEST53506018.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:08.050573111 CEST6087553192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:08.063374996 CEST53608758.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:09.544285059 CEST5644853192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:09.557113886 CEST53564488.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:09.907948017 CEST5917253192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:09.923392057 CEST53591728.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:19.272897005 CEST6242053192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:19.290817976 CEST53624208.8.8.8192.168.2.4
                                              Apr 8, 2021 12:13:57.243844986 CEST6057953192.168.2.48.8.8.8
                                              Apr 8, 2021 12:13:57.279443979 CEST53605798.8.8.8192.168.2.4
                                              Apr 8, 2021 12:14:02.344350100 CEST5018353192.168.2.48.8.8.8
                                              Apr 8, 2021 12:14:02.371304035 CEST53501838.8.8.8192.168.2.4
                                              Apr 8, 2021 12:14:12.552082062 CEST6153153192.168.2.48.8.8.8
                                              Apr 8, 2021 12:14:12.682018995 CEST53615318.8.8.8192.168.2.4
                                              Apr 8, 2021 12:14:13.157211065 CEST4922853192.168.2.48.8.8.8
                                              Apr 8, 2021 12:14:13.277036905 CEST53492288.8.8.8192.168.2.4

                                              ICMP Packets

                                              TimestampSource IPDest IPChecksumCodeType
                                              Apr 8, 2021 12:13:03.957380056 CEST192.168.2.48.8.8.8d138(Port unreachable)Destination Unreachable

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Apr 8, 2021 12:14:12.552082062 CEST192.168.2.48.8.8.80xb2ddStandard query (0)mail.almasroor.comA (IP address)IN (0x0001)
                                              Apr 8, 2021 12:14:13.157211065 CEST192.168.2.48.8.8.80x70e6Standard query (0)mail.almasroor.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Apr 8, 2021 12:14:12.682018995 CEST8.8.8.8192.168.2.40xb2ddNo error (0)mail.almasroor.comalmasroor.comCNAME (Canonical name)IN (0x0001)
                                              Apr 8, 2021 12:14:12.682018995 CEST8.8.8.8192.168.2.40xb2ddNo error (0)almasroor.com69.65.3.206A (IP address)IN (0x0001)
                                              Apr 8, 2021 12:14:13.277036905 CEST8.8.8.8192.168.2.40x70e6No error (0)mail.almasroor.comalmasroor.comCNAME (Canonical name)IN (0x0001)
                                              Apr 8, 2021 12:14:13.277036905 CEST8.8.8.8192.168.2.40x70e6No error (0)almasroor.com69.65.3.206A (IP address)IN (0x0001)

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Apr 8, 2021 12:14:13.782218933 CEST5874976469.65.3.206192.168.2.4220-server302.webhostingpad.com ESMTP Exim 4.93 #2 Thu, 08 Apr 2021 05:14:13 -0500
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 8, 2021 12:14:13.783303976 CEST49764587192.168.2.469.65.3.206EHLO 247525
                                              Apr 8, 2021 12:14:13.896219969 CEST5874976469.65.3.206192.168.2.4250-server302.webhostingpad.com Hello 247525 [185.32.222.8]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 8, 2021 12:14:13.897735119 CEST49764587192.168.2.469.65.3.206AUTH login aG9AYWxtYXNyb29yLmNvbQ==
                                              Apr 8, 2021 12:14:14.012175083 CEST5874976469.65.3.206192.168.2.4334 UGFzc3dvcmQ6
                                              Apr 8, 2021 12:14:14.135514021 CEST5874976469.65.3.206192.168.2.4235 Authentication succeeded
                                              Apr 8, 2021 12:14:14.136495113 CEST49764587192.168.2.469.65.3.206MAIL FROM:<ho@almasroor.com>
                                              Apr 8, 2021 12:14:14.248852015 CEST5874976469.65.3.206192.168.2.4250 OK
                                              Apr 8, 2021 12:14:14.249553919 CEST49764587192.168.2.469.65.3.206RCPT TO:<ho@almasroor.com>
                                              Apr 8, 2021 12:14:14.362612963 CEST5874976469.65.3.206192.168.2.4250 Accepted
                                              Apr 8, 2021 12:14:14.363524914 CEST49764587192.168.2.469.65.3.206DATA
                                              Apr 8, 2021 12:14:14.475667953 CEST5874976469.65.3.206192.168.2.4354 Enter message, ending with "." on a line by itself
                                              Apr 8, 2021 12:14:14.480148077 CEST49764587192.168.2.469.65.3.206.
                                              Apr 8, 2021 12:14:15.217732906 CEST5874976469.65.3.206192.168.2.4250 OK id=1lURfy-0003vO-DX

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Start time:12:12:11
                                              Start date:08/04/2021
                                              Path:C:\Users\user\Desktop\payment details.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\payment details.exe'
                                              Imagebase:0x800000
                                              File size:729600 bytes
                                              MD5 hash:55191839573AC8FD25655B3561286BC1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Start time:12:12:25
                                              Start date:08/04/2021
                                              Path:C:\Users\user\Desktop\payment details.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x620000
                                              File size:729600 bytes
                                              MD5 hash:55191839573AC8FD25655B3561286BC1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Start time:12:13:03
                                              Start date:08/04/2021
                                              Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                              Imagebase:0x3c0000
                                              File size:729600 bytes
                                              MD5 hash:55191839573AC8FD25655B3561286BC1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 33%, ReversingLabs
                                              Reputation:low

                                              General

                                              Start time:12:13:11
                                              Start date:08/04/2021
                                              Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                              Imagebase:0x7f0000
                                              File size:729600 bytes
                                              MD5 hash:55191839573AC8FD25655B3561286BC1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Start time:12:13:16
                                              Start date:08/04/2021
                                              Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0xc40000
                                              File size:729600 bytes
                                              MD5 hash:55191839573AC8FD25655B3561286BC1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Start time:12:13:25
                                              Start date:08/04/2021
                                              Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0xc00000
                                              File size:729600 bytes
                                              MD5 hash:55191839573AC8FD25655B3561286BC1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Disassembly

                                              Code Analysis

                                              Reset < >