Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Remittance Details,.exe

Overview

General Information

Sample Name:Remittance Details,.exe
Analysis ID:385352
MD5:7c11ef37a7bdad154a455d59b65c190a
SHA1:3974dd90b0180e8087bc2adbd3947f651a656ab6
SHA256:8b8f8698c1165d37f1dcf607bfc31a0d8f884389b26ebbd106bca128f85e40e6
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Remittance Details,.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\Remittance Details,.exe' MD5: 7C11EF37A7BDAD154A455D59B65C190A)
    • Remittance Details,.exe (PID: 6972 cmdline: C:\Users\user\Desktop\Remittance Details,.exe MD5: 7C11EF37A7BDAD154A455D59B65C190A)
  • kprUEGC.exe (PID: 7096 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 7C11EF37A7BDAD154A455D59B65C190A)
    • kprUEGC.exe (PID: 7156 cmdline: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe MD5: 7C11EF37A7BDAD154A455D59B65C190A)
  • kprUEGC.exe (PID: 7036 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 7C11EF37A7BDAD154A455D59B65C190A)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "servicekrl@lallyautomobiles.netWelcome@2021mail.lallyautomobiles.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.962815631.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0000000F.00000002.817115472.0000000004405000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.kprUEGC.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.Remittance Details,.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                15.2.kprUEGC.exe.4577888.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Remittance Details,.exe.3d07888.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    15.2.kprUEGC.exe.4577888.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 17.2.kprUEGC.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "servicekrl@lallyautomobiles.netWelcome@2021mail.lallyautomobiles.net"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 16%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Remittance Details,.exeVirustotal: Detection: 31%Perma Link
                      Source: Remittance Details,.exeReversingLabs: Detection: 16%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Remittance Details,.exeJoe Sandbox ML: detected
                      Source: 17.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.Remittance Details,.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Remittance Details,.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Remittance Details,.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49760 -> 162.241.85.194:587
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 162.241.85.194:587
                      Source: Joe Sandbox ViewIP Address: 162.241.85.194 162.241.85.194
                      Source: Joe Sandbox ViewASN Name: OIS1US OIS1US
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 162.241.85.194:587
                      Source: unknownDNS traffic detected: queries for: mail.lallyautomobiles.net
                      Source: Remittance Details,.exe, 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpString found in binary or memory: http://VjrQdt.com
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Remittance Details,.exe, 00000004.00000002.967100020.000000000350E000.00000004.00000001.sdmpString found in binary or memory: http://lallyautomobiles.net
                      Source: Remittance Details,.exe, 00000004.00000002.967100020.000000000350E000.00000004.00000001.sdmpString found in binary or memory: http://mail.lallyautomobiles.net
                      Source: kprUEGC.exe, 00000010.00000002.819512989.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.819512989.0000000002BA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                      Source: Remittance Details,.exe, 00000000.00000003.701865078.0000000005AB8000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Remittance Details,.exe, 00000000.00000003.718969677.0000000005AAA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Remittance Details,.exe, 00000000.00000003.718969677.0000000005AAA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Remittance Details,.exe, 00000000.00000003.700039094.0000000005ABB000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Remittance Details,.exe, 00000000.00000003.701297958.0000000005AAE000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Remittance Details,.exe, 00000000.00000003.701297958.0000000005AAE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                      Source: Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                      Source: Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
                      Source: Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                      Source: Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000003.702889959.0000000005AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Remittance Details,.exe, 00000000.00000003.702889959.0000000005AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
                      Source: Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Remittance Details,.exe, 00000004.00000002.966943930.00000000034CD000.00000004.00000001.sdmp, Remittance Details,.exe, 00000004.00000002.967131470.000000000351C000.00000004.00000001.sdmpString found in binary or memory: https://EdUnwEjjJapJM28abNa.org
                      Source: Remittance Details,.exe, 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Remittance Details,.exe, 00000000.00000002.722663063.0000000003B96000.00000004.00000001.sdmp, Remittance Details,.exe, 00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.817115472.0000000004405000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.962815631.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Remittance Details,.exe, 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000000.00000002.719839501.0000000000E48000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.Remittance Details,.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC3229A82u002dC405u002d4310u002d9FABu002d7139252673B4u007d/A6A4DE41u002d417Cu002d4937u002d9B5Eu002d83EB42B4661B.csLarge array initialization: .cctor: array initializer size 11976
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A93B9C NtQueryInformationProcess,
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A60040
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A66CA8
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A615A0
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A61590
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A63729
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A60007
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A63AF0
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_0502C48B
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_0502C3CF
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_0126AD38
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_01263118
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_01261868
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_01267CE0
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_0126EB70
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_01265610
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_01262968
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_0126CF00
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_02FC47A0
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_02FC4790
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0322B23C
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0322C2B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_03229968
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_0322DF73
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D0040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D15A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D159F
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D3729
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D0006
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D6CA8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D3AF0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A9E750
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A9C4B8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A921A8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A95118
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A91DD8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A95B08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A96A08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A94998
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A9C748
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A95580
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A9557B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A991AB
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A991B8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A9219A
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A95108
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A98F88
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A98F78
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A91DC8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A93DCB
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A93DD8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A98D28
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A99D00
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A98D18
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A99CEE
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A98B20
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A98B11
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A95AF8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A969DE
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A95928
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A9790B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A97918
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A96910
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A948F0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02A3C2B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02A39968
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_00782050
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027F47A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027F5471
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027F3CCC
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027F46B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027F5490
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027FD841
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027F3CC0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_05CC7530
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_05CC94F0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_05CC6918
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_05CC6C60
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_00582050
                      Source: Remittance Details,.exe, 00000000.00000002.726711571.00000000072D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000000.00000002.720043710.00000000029E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000000.00000002.719226689.00000000006EC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBINDPTR.exe> vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000000.00000002.719839501.0000000000E48000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000000.00000002.720102415.0000000002A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCrDkIkkkBWhoYOaknhYHPRCjW.exe4 vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000004.00000002.963071834.0000000000D6C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBINDPTR.exe> vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000004.00000002.963165917.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000004.00000002.964373382.000000000144A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000004.00000002.964651781.0000000001540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Remittance Details,.exe
                      Source: Remittance Details,.exe, 00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCrDkIkkkBWhoYOaknhYHPRCjW.exe4 vs Remittance Details,.exe
                      Source: Remittance Details,.exeBinary or memory string: OriginalFilenameBINDPTR.exe> vs Remittance Details,.exe
                      Source: Remittance Details,.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Remittance Details,.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 4.2.Remittance Details,.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.Remittance Details,.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance Details,.exe.logJump to behavior
                      Source: Remittance Details,.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Remittance Details,.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Remittance Details,.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: Remittance Details,.exeVirustotal: Detection: 31%
                      Source: Remittance Details,.exeReversingLabs: Detection: 16%
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile read: C:\Users\user\Desktop\Remittance Details,.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Remittance Details,.exe 'C:\Users\user\Desktop\Remittance Details,.exe'
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess created: C:\Users\user\Desktop\Remittance Details,.exe C:\Users\user\Desktop\Remittance Details,.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess created: C:\Users\user\Desktop\Remittance Details,.exe C:\Users\user\Desktop\Remittance Details,.exe
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Remittance Details,.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Remittance Details,.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A62DFA pushad ; iretd
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 0_2_04A61528 push edx; ret
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_02FCCF91 push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_052D2DFA pushad ; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 15_2_07A96295 pushfd ; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 16_2_02A304D0 push C03300E0h; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_027FCF91 push esp; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95213295508
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95213295508
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Remittance Details,.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\Remittance Details,.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\Remittance Details,.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Remittance Details,.exe PID: 6712, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7096, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWindow / User API: threadDelayed 8473
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWindow / User API: threadDelayed 1366
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 3677
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 6146
                      Source: C:\Users\user\Desktop\Remittance Details,.exe TID: 6716Thread sleep time: -104888s >= -30000s
                      Source: C:\Users\user\Desktop\Remittance Details,.exe TID: 6732Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Remittance Details,.exe TID: 6936Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Remittance Details,.exe TID: 5036Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Users\user\Desktop\Remittance Details,.exe TID: 6200Thread sleep count: 8473 > 30
                      Source: C:\Users\user\Desktop\Remittance Details,.exe TID: 6200Thread sleep count: 1366 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7100Thread sleep time: -103773s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5740Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4484Thread sleep count: 34 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4484Thread sleep time: -31359464925306218s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1072Thread sleep count: 3677 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1072Thread sleep count: 6146 > 30
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Remittance Details,.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 104888
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Remittance Details,.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 103773
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: Remittance Details,.exe, 00000004.00000002.964477900.0000000001472000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeCode function: 4_2_01263118 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Remittance Details,.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeMemory written: C:\Users\user\Desktop\Remittance Details,.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMemory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Remittance Details,.exeProcess created: C:\Users\user\Desktop\Remittance Details,.exe C:\Users\user\Desktop\Remittance Details,.exe
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                      Source: Remittance Details,.exe, 00000004.00000002.965315910.0000000001A70000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964170635.0000000001300000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Remittance Details,.exe, 00000004.00000002.965315910.0000000001A70000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964170635.0000000001300000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Remittance Details,.exe, 00000004.00000002.965315910.0000000001A70000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964170635.0000000001300000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Remittance Details,.exe, 00000004.00000002.965315910.0000000001A70000.00000002.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964170635.0000000001300000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Users\user\Desktop\Remittance Details,.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Users\user\Desktop\Remittance Details,.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Remittance Details,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 17_2_05CC4FFC GetUserNameW,
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000011.00000002.962815631.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.817115472.0000000004405000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.722663063.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Remittance Details,.exe PID: 6712, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Remittance Details,.exe PID: 6972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7156, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7096, type: MEMORY
                      Source: Yara matchFile source: 17.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Remittance Details,.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.4577888.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Remittance Details,.exe.3d07888.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.4577888.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Remittance Details,.exe.3d07888.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Remittance Details,.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\Remittance Details,.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Remittance Details,.exe PID: 6972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7156, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000011.00000002.962815631.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.817115472.0000000004405000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.722663063.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Remittance Details,.exe PID: 6712, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Remittance Details,.exe PID: 6972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7156, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7096, type: MEMORY
                      Source: Yara matchFile source: 17.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Remittance Details,.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.4577888.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Remittance Details,.exe.3d07888.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.kprUEGC.exe.4577888.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Remittance Details,.exe.3d07888.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112File and Directory Permissions Modification1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture111System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSecurity Software Discovery311Distributed Component Object ModelInput Capture111Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 385352 Sample: Remittance Details,.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 6 Remittance Details,.exe 3 2->6         started        10 kprUEGC.exe 3 2->10         started        12 kprUEGC.exe 2 2->12         started        process3 file4 21 C:\Users\user\...\Remittance Details,.exe.log, ASCII 6->21 dropped 49 Injects a PE file into a foreign processes 6->49 14 Remittance Details,.exe 2 5 6->14         started        51 Multi AV Scanner detection for dropped file 10->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->53 55 Machine Learning detection for dropped file 10->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->57 19 kprUEGC.exe 2 10->19         started        signatures5 process6 dnsIp7 29 lallyautomobiles.net 162.241.85.194, 49760, 587 OIS1US United States 14->29 31 mail.lallyautomobiles.net 14->31 23 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->23 dropped 25 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 39 4 other signatures 14->39 27 C:\Windows\System32\drivers\etc\hosts, ASCII 19->27 dropped file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Remittance Details,.exe31%VirustotalBrowse
                      Remittance Details,.exe17%ReversingLabsWin32.Trojan.Wacatac
                      Remittance Details,.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe17%ReversingLabsWin32.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      17.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      4.2.Remittance Details,.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      lallyautomobiles.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://mail.lallyautomobiles.net0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/i0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnt0%URL Reputationsafe
                      http://www.founder.com.cn/cnt0%URL Reputationsafe
                      http://www.founder.com.cn/cnt0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://lallyautomobiles.net0%Avira URL Cloudsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      lallyautomobiles.net
                      		162.241.85.194
                      		truetrueunknown
                      mail.lallyautomobiles.net
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Remittance Details,.exe, 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                              		high
                              http://mail.lallyautomobiles.netRemittance Details,.exe, 00000004.00000002.967100020.000000000350E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4Remittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.819512989.0000000002BA1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comkprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerskprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comRemittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssRemittance Details,.exe, 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/3Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/2Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/iRemittance Details,.exe, 00000000.00000003.702889959.0000000005AA4000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cntRemittance Details,.exe, 00000000.00000003.701297958.0000000005AAE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%GETMozilla/5.0kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comRemittance Details,.exe, 00000000.00000003.700039094.0000000005ABB000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://lallyautomobiles.netRemittance Details,.exe, 00000004.00000002.967100020.000000000350E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namekprUEGC.exe, 00000010.00000002.819512989.0000000002BA1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%Remittance Details,.exe, 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRemittance Details,.exe, 00000000.00000002.722663063.0000000003B96000.00000004.00000001.sdmp, Remittance Details,.exe, 00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.817115472.0000000004405000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.962815631.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0Remittance Details,.exe, 00000000.00000003.701865078.0000000005AB8000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comRemittance Details,.exe, 00000000.00000003.718969677.0000000005AAA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://DynDns.comDynDNSkprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comFRemittance Details,.exe, 00000000.00000003.718969677.0000000005AAA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRemittance Details,.exe, 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmp, kprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/GRemittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000003.702889959.0000000005AA4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/zRemittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnRemittance Details,.exe, 00000000.00000003.701297958.0000000005AAE000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlRemittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/Remittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmp, Remittance Details,.exe, 00000000.00000003.703069163.0000000005AAA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/iRemittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8Remittance Details,.exe, 00000000.00000002.726128108.0000000006CB2000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.821255418.0000000006490000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.821990292.0000000005BC0000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/hRemittance Details,.exe, 00000000.00000003.702727453.0000000005AAC000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://EdUnwEjjJapJM28abNa.orgRemittance Details,.exe, 00000004.00000002.966943930.00000000034CD000.00000004.00000001.sdmp, Remittance Details,.exe, 00000004.00000002.967131470.000000000351C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://VjrQdt.comkprUEGC.exe, 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  162.241.85.194
                                                  		lallyautomobiles.netUnited States
                                                  		26337OIS1UStrue

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:385352
                                                  Start date:12.04.2021
                                                  Start time:11:13:53
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 0s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:Remittance Details,.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:22
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 0.7% (good quality ratio 0.6%)
                                                  • Quality average: 53.2%
                                                  • Quality standard deviation: 24.2%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.88.21.125, 52.255.188.83, 20.82.210.154, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 8.241.79.254, 8.253.207.121, 8.241.89.126, 8.241.82.254, 8.241.126.249, 13.64.90.137, 104.43.139.144, 40.88.32.150, 20.50.102.62
                                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  11:15:11API Interceptor688x Sleep call for process: Remittance Details,.exe modified
                                                  11:15:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                  11:15:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                  11:15:52API Interceptor417x Sleep call for process: kprUEGC.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  162.241.85.194TyvHgg4MaP.exeGet hashmaliciousBrowse
                                                    8pHO7uTdXC.exeGet hashmaliciousBrowse
                                                      MaqIUcQ58t.exeGet hashmaliciousBrowse
                                                        IzJb0bKz7o.exeGet hashmaliciousBrowse
                                                          JNKI-044-PO-038.docGet hashmaliciousBrowse

                                                            Domains

                                                            No context

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            OIS1USFED8GODpaD.xlsbGet hashmaliciousBrowse
                                                            • 50.116.95.68
                                                            catalogue-41.xlsbGet hashmaliciousBrowse
                                                            • 50.116.95.68
                                                            document-4077682.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1643341247.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1977942244.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-972550903.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-972550903.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-852263110.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-2130763274.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            Purchase_Order 3109.xlsGet hashmaliciousBrowse
                                                            • 162.241.85.227
                                                            document-669854873.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1432391719.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1811269384.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-586537513.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1080811384.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1680135502.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1258602967.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-2092739367.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-1113405161.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140
                                                            document-423354438.xlsmGet hashmaliciousBrowse
                                                            • 162.241.203.140

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance Details,.exe.log
                                                            Process:C:\Users\user\Desktop\Remittance Details,.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1314
                                                            Entropy (8bit):5.350128552078965
                                                            Encrypted:false
                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
                                                            Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1314
                                                            Entropy (8bit):5.350128552078965
                                                            Encrypted:false
                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                            C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            Process:C:\Users\user\Desktop\Remittance Details,.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):763904
                                                            Entropy (8bit):7.945765090542498
                                                            Encrypted:false
                                                            SSDEEP:12288:Mgdxbzvzi13jlCfH4lEWSoWVZpeQTG3PjMJtS0crwEpYi/Py1A/K:MyPvzk35CfYl8oWVT0PjsStDphPy1v
                                                            MD5:7C11EF37A7BDAD154A455D59B65C190A
                                                            SHA1:3974DD90B0180E8087BC2ADBD3947F651A656AB6
                                                            SHA-256:8B8F8698C1165D37F1DCF607BFC31A0D8F884389B26EBBD106BCA128F85E40E6
                                                            SHA-512:0E5B26B15205EBEE707FE16E62D3C514572263A303CA0DFD5E3315C5CBB7BD77C799255F30A5AEA237A7FD94C27AB0F3705D66B879689F685D319C1600A29EC6
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                            Reputation:low
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P.............Z.... ........@.. ....................................@.....................................O.......8............................................................................ ............... ..H............text...`.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................<.......H.......$}..<v..........`................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                            C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier
                                                            Process:C:\Users\user\Desktop\Remittance Details,.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                            C:\Windows\System32\drivers\etc\hosts
                                                            Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):11
                                                            Entropy (8bit):2.663532754804255
                                                            Encrypted:false
                                                            SSDEEP:3:iLE:iLE
                                                            MD5:B24D295C1F84ECBFB566103374FB91C5
                                                            SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                            SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                            SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                            Malicious:true
                                                            Reputation:moderate, very likely benign file
                                                            Preview: ..127.0.0.1

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.945765090542498
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:Remittance Details,.exe
                                                            File size:763904
                                                            MD5:7c11ef37a7bdad154a455d59b65c190a
                                                            SHA1:3974dd90b0180e8087bc2adbd3947f651a656ab6
                                                            SHA256:8b8f8698c1165d37f1dcf607bfc31a0d8f884389b26ebbd106bca128f85e40e6
                                                            SHA512:0e5b26b15205ebee707fe16e62d3c514572263a303ca0dfd5e3315c5cbb7bd77c799255f30a5aea237a7fd94c27ab0f3705d66b879689f685d319c1600a29ec6
                                                            SSDEEP:12288:Mgdxbzvzi13jlCfH4lEWSoWVZpeQTG3PjMJtS0crwEpYi/Py1A/K:MyPvzk35CfYl8oWVT0PjsStDphPy1v
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P.............Z.... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:18261a9b72310300

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4bae5a
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0x60739496 [Mon Apr 12 00:30:14 2021 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbae080x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x1338.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xb8e600xb9000False0.955404085726data7.95213295508IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xbc0000x13380x1400False0.6359375data6.10274673503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xbe0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_ICON0xbc1300xca8dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 4278455063, next used block 4282336593
                                                            RT_GROUP_ICON0xbcdd80x14data
                                                            RT_VERSION0xbcdec0x35edata
                                                            RT_MANIFEST0xbd14c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2012
                                                            Assembly Version8.1.1.15
                                                            InternalNameBINDPTR.exe
                                                            FileVersion8.1.1.14
                                                            CompanyNameLandskip Yard Care
                                                            LegalTrademarksA++
                                                            Comments
                                                            ProductNameLevelActivator
                                                            ProductVersion8.1.1.14
                                                            FileDescriptionLevelActivator
                                                            OriginalFilenameBINDPTR.exe

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            04/12/21-11:17:02.971539TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49760587192.168.2.4162.241.85.194

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 12, 2021 11:17:00.642277002 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:00.800606966 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:00.800862074 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:01.941507101 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:01.942255020 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.100687981 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.102413893 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.261004925 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.261544943 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.460472107 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.484133959 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.485260010 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.643481970 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.644001961 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.811086893 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.811356068 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.969512939 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.969547987 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:02.971539021 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.971740961 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.972362995 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:02.972477913 CEST49760587192.168.2.4162.241.85.194
                                                            Apr 12, 2021 11:17:03.129873037 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:03.130459070 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:03.130856037 CEST58749760162.241.85.194192.168.2.4
                                                            Apr 12, 2021 11:17:03.181412935 CEST49760587192.168.2.4162.241.85.194

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 12, 2021 11:15:01.267368078 CEST6529853192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:01.335479021 CEST53652988.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:04.274409056 CEST5912353192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:04.325905085 CEST53591238.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:14.662309885 CEST5453153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:14.711232901 CEST53545318.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:16.531094074 CEST4971453192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:16.579797029 CEST53497148.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:24.038068056 CEST5802853192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:24.086563110 CEST53580288.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:25.210367918 CEST5309753192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:25.259857893 CEST53530978.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:27.192257881 CEST4925753192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:27.241142988 CEST53492578.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:28.361828089 CEST6238953192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:28.419089079 CEST53623898.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:31.666484118 CEST4991053192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:31.718019009 CEST53499108.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:36.505922079 CEST5585453192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:36.567310095 CEST53558548.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:49.058315039 CEST6454953192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:49.184273005 CEST53645498.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:49.802995920 CEST6315353192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:49.913105011 CEST53631538.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:50.550388098 CEST5299153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:50.684981108 CEST53529918.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:51.171564102 CEST5370053192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:51.213300943 CEST5172653192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:51.228672028 CEST53537008.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:51.283433914 CEST53517268.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:51.859690905 CEST5679453192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:51.916731119 CEST53567948.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:52.523935080 CEST5653453192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:52.604842901 CEST53565348.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:53.164200068 CEST5662753192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:53.224090099 CEST53566278.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:54.042567968 CEST5662153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:54.118690968 CEST53566218.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:54.517535925 CEST6311653192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:54.575073957 CEST53631168.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:57.193202972 CEST6407853192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:57.250377893 CEST53640788.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:15:57.687658072 CEST6480153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:15:57.745311022 CEST53648018.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:02.228372097 CEST6172153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:02.290508032 CEST53617218.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:07.026966095 CEST5125553192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:07.057928085 CEST6152253192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:07.078485966 CEST53512558.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:07.125865936 CEST53615228.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:07.863359928 CEST5233753192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:07.912319899 CEST53523378.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:09.016038895 CEST5504653192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:09.064616919 CEST53550468.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:10.049592972 CEST4961253192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:10.106527090 CEST53496128.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:10.875190973 CEST4928553192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:10.936657906 CEST53492858.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:11.174890041 CEST5060153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:11.226339102 CEST53506018.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:12.039813995 CEST6087553192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:12.091501951 CEST53608758.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:24.391438007 CEST5644853192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:24.439979076 CEST53564488.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:25.198664904 CEST5917253192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:25.247508049 CEST53591728.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:26.315885067 CEST6242053192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:26.364778996 CEST53624208.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:27.614789009 CEST6057953192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:27.663502932 CEST53605798.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:30.608082056 CEST5018353192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:30.659663916 CEST53501838.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:43.637002945 CEST6153153192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:43.685796022 CEST53615318.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:45.701611042 CEST4922853192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:45.773411989 CEST53492288.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:16:59.627403021 CEST5979453192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:16:59.927588940 CEST53597948.8.8.8192.168.2.4
                                                            Apr 12, 2021 11:17:00.321012020 CEST5591653192.168.2.48.8.8.8
                                                            Apr 12, 2021 11:17:00.514744997 CEST53559168.8.8.8192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Apr 12, 2021 11:16:59.627403021 CEST192.168.2.48.8.8.80x6de5Standard query (0)mail.lallyautomobiles.netA (IP address)IN (0x0001)
                                                            Apr 12, 2021 11:17:00.321012020 CEST192.168.2.48.8.8.80x7fb0Standard query (0)mail.lallyautomobiles.netA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Apr 12, 2021 11:16:59.927588940 CEST8.8.8.8192.168.2.40x6de5No error (0)mail.lallyautomobiles.netlallyautomobiles.netCNAME (Canonical name)IN (0x0001)
                                                            Apr 12, 2021 11:16:59.927588940 CEST8.8.8.8192.168.2.40x6de5No error (0)lallyautomobiles.net162.241.85.194A (IP address)IN (0x0001)
                                                            Apr 12, 2021 11:17:00.514744997 CEST8.8.8.8192.168.2.40x7fb0No error (0)mail.lallyautomobiles.netlallyautomobiles.netCNAME (Canonical name)IN (0x0001)
                                                            Apr 12, 2021 11:17:00.514744997 CEST8.8.8.8192.168.2.40x7fb0No error (0)lallyautomobiles.net162.241.85.194A (IP address)IN (0x0001)

                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Apr 12, 2021 11:17:01.941507101 CEST58749760162.241.85.194192.168.2.4220-rs011.webhostbox.net ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 09:17:01 +0000
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Apr 12, 2021 11:17:01.942255020 CEST49760587192.168.2.4162.241.85.194EHLO 648351
                                                            Apr 12, 2021 11:17:02.100687981 CEST58749760162.241.85.194192.168.2.4250-rs011.webhostbox.net Hello 648351 [84.17.52.3]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-X_PIPE_CONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Apr 12, 2021 11:17:02.102413893 CEST49760587192.168.2.4162.241.85.194AUTH login c2VydmljZWtybEBsYWxseWF1dG9tb2JpbGVzLm5ldA==
                                                            Apr 12, 2021 11:17:02.261004925 CEST58749760162.241.85.194192.168.2.4334 UGFzc3dvcmQ6
                                                            Apr 12, 2021 11:17:02.484133959 CEST58749760162.241.85.194192.168.2.4235 Authentication succeeded
                                                            Apr 12, 2021 11:17:02.485260010 CEST49760587192.168.2.4162.241.85.194MAIL FROM:<servicekrl@lallyautomobiles.net>
                                                            Apr 12, 2021 11:17:02.643481970 CEST58749760162.241.85.194192.168.2.4250 OK
                                                            Apr 12, 2021 11:17:02.644001961 CEST49760587192.168.2.4162.241.85.194RCPT TO:<servicekrl@lallyautomobiles.net>
                                                            Apr 12, 2021 11:17:02.811086893 CEST58749760162.241.85.194192.168.2.4250 Accepted
                                                            Apr 12, 2021 11:17:02.811356068 CEST49760587192.168.2.4162.241.85.194DATA
                                                            Apr 12, 2021 11:17:02.969547987 CEST58749760162.241.85.194192.168.2.4354 Enter message, ending with "." on a line by itself
                                                            Apr 12, 2021 11:17:02.972477913 CEST49760587192.168.2.4162.241.85.194.
                                                            Apr 12, 2021 11:17:03.130856037 CEST58749760162.241.85.194192.168.2.4250 OK id=1lVsgo-00245X-T8

                                                            Code Manipulations

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: Remittance Details,.exe PID: 6712 Parent PID: 5816

                                                            General

                                                            Start time:11:15:05
                                                            Start date:12/04/2021
                                                            Path:C:\Users\user\Desktop\Remittance Details,.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\Remittance Details,.exe'
                                                            Imagebase:0x7ffabd480000
                                                            File size:763904 bytes
                                                            MD5 hash:7C11EF37A7BDAD154A455D59B65C190A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.720108696.0000000002A35000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.722663063.0000000003B96000.00000004.00000001.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            Analysis Process: Remittance Details,.exe PID: 6972 Parent PID: 6712

                                                            General

                                                            Start time:11:15:15
                                                            Start date:12/04/2021
                                                            Path:C:\Users\user\Desktop\Remittance Details,.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\Remittance Details,.exe
                                                            Imagebase:0x7ffabd480000
                                                            File size:763904 bytes
                                                            MD5 hash:7C11EF37A7BDAD154A455D59B65C190A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.966156709.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.962851054.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            Analysis Process: kprUEGC.exe PID: 7096 Parent PID: 3424

                                                            General

                                                            Start time:11:15:49
                                                            Start date:12/04/2021
                                                            Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                                            Imagebase:0xda0000
                                                            File size:763904 bytes
                                                            MD5 hash:7C11EF37A7BDAD154A455D59B65C190A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.817115472.0000000004405000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.815029324.00000000032A5000.00000004.00000001.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 17%, ReversingLabs
                                                            Reputation:low

                                                            Analysis Process: kprUEGC.exe PID: 7036 Parent PID: 3424

                                                            General

                                                            Start time:11:15:58
                                                            Start date:12/04/2021
                                                            Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                                            Imagebase:0x780000
                                                            File size:763904 bytes
                                                            MD5 hash:7C11EF37A7BDAD154A455D59B65C190A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:low

                                                            Analysis Process: kprUEGC.exe PID: 7156 Parent PID: 7096

                                                            General

                                                            Start time:11:15:58
                                                            Start date:12/04/2021
                                                            Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                            Imagebase:0x580000
                                                            File size:763904 bytes
                                                            MD5 hash:7C11EF37A7BDAD154A455D59B65C190A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.962815631.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.964563945.0000000002941000.00000004.00000001.sdmp, Author: Joe Security
                                                            Reputation:low

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >