Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Order 00223342.exe

Overview

General Information

Sample Name:Order 00223342.exe
Analysis ID:385373
MD5:42ffdd434efb48304897358b608ec54b
SHA1:eedf22856000a4725f04b4a104548b6cee6d2fbe
SHA256:b68ec64435f531b2cf211c6012726ec96585a06aa3da09bde450d04c7f7754b3
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Order 00223342.exe (PID: 1844 cmdline: 'C:\Users\user\Desktop\Order 00223342.exe' MD5: 42FFDD434EFB48304897358B608EC54B)
    • schtasks.exe (PID: 5536 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kprUEGC.exe (PID: 6620 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 42FFDD434EFB48304897358B608EC54B)
    • schtasks.exe (PID: 6800 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp188D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kprUEGC.exe (PID: 6912 cmdline: {path} MD5: 42FFDD434EFB48304897358B608EC54B)
  • kprUEGC.exe (PID: 6876 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 42FFDD434EFB48304897358B608EC54B)
    • schtasks.exe (PID: 7008 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp38A7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kprUEGC.exe (PID: 7056 cmdline: {path} MD5: 42FFDD434EFB48304897358B608EC54B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "importdox_jberedo@afciphil.com.phr35eCaR@t4mail.afciphil.com.ph"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000018.00000002.460425912.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.315476006.0000000004710000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000017.00000002.330051191.0000000003DB0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.kprUEGC.exe.492ec70.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Order 00223342.exe.3a5b760.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                20.2.kprUEGC.exe.4859c20.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Order 00223342.exe.3a5b760.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    24.2.kprUEGC.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Order 00223342.exe' , ParentImage: C:\Users\user\Desktop\Order 00223342.exe, ParentProcessId: 1844, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp', ProcessId: 5536

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 20.2.kprUEGC.exe.492ec70.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "importdox_jberedo@afciphil.com.phr35eCaR@t4mail.afciphil.com.ph"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\AppData\Roaming\lispKbUDYY.exeReversingLabs: Detection: 27%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Order 00223342.exeVirustotal: Detection: 34%Perma Link
                      Source: Order 00223342.exeReversingLabs: Detection: 27%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\lispKbUDYY.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Order 00223342.exeJoe Sandbox ML: detected
                      Source: 24.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 27.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.Order 00223342.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Order 00223342.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Order 00223342.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49743 -> 216.239.133.246:587
                      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 216.239.133.246:587
                      Source: Joe Sandbox ViewASN Name: OMNISUS OMNISUS
                      Source: global trafficTCP traffic: 192.168.2.3:49743 -> 216.239.133.246:587
                      Source: unknownDNS traffic detected: queries for: mail.afciphil.com.ph
                      Source: Order 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, kprUEGC.exe, 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://HqokBq.com
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://api.github.com/repos/
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Order 00223342.exe, 00000005.00000002.470501778.0000000002EA6000.00000004.00000001.sdmpString found in binary or memory: http://mail.afciphil.com.ph
                      Source: Order 00223342.exe, 00000000.00000002.219781730.0000000002ACB000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.310980902.0000000003211000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.325342975.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Order 00223342.exe, 00000000.00000003.198394268.0000000007DD6000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Order 00223342.exe, 00000000.00000002.228398441.0000000007D90000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Order 00223342.exe, 00000000.00000003.199851843.0000000007D9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/A
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Order 00223342.exe, 00000000.00000003.199851843.0000000007D9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Order 00223342.exe, 00000000.00000003.201764642.0000000007D9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                      Source: Order 00223342.exe, 00000000.00000003.201681390.0000000007D9C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                      Source: Order 00223342.exe, 00000000.00000002.228398441.0000000007D90000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaF
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Order 00223342.exe, 00000000.00000003.194682211.0000000007DAB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                      Source: Order 00223342.exe, 00000000.00000003.196124278.0000000007D92000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Order 00223342.exe, 00000000.00000003.195803424.0000000007DCD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTF
                      Source: Order 00223342.exe, 00000000.00000003.195819262.0000000007D92000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Order 00223342.exe, 00000000.00000003.202959871.0000000007D9B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Order 00223342.exe, 00000000.00000002.233192560.000000000B640000.00000002.00000001.sdmp, Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://8chan.moe/
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://8kun.top/
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://a.4cdn.org/
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://api.420chan.org/
                      Source: kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Order 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%e
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/murrty/YChanEx/
                      Source: Order 00223342.exe, 00000000.00000002.219512456.0000000002A21000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.310980902.0000000003211000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/murrty/ychanex
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/murrty/ychanex/releases/latest
                      Source: Order 00223342.exe, 00000005.00000002.470501778.0000000002EA6000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.470240847.0000000002E64000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.470558155.0000000002EB4000.00000004.00000001.sdmpString found in binary or memory: https://k0Gm8QDgO4.com
                      Source: kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/
                      Source: Order 00223342.exe, 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000014.00000002.315476006.0000000004710000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.330051191.0000000003DB0000.00000004.00000001.sdmp, kprUEGC.exe, 00000018.00000002.460425912.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.460412900.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Order 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, kprUEGC.exe, 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.218695128.0000000000E10000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Order 00223342.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Order 00223342.exe
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF2160
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF0480
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF0F90
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF2FA0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF3D90
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF2151
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF0470
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF4BE0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF2EC1
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF4F88
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF2F09
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF5170
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF5398
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF1BD1
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_00DF1BE0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A754B8
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A70448
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7D598
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7AE50
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A73738
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A74280
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A74AD8
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A79A40
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7A4FB
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78460
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78450
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7D588
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A74518
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7863A
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78648
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7EF98
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7B7E0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7B7D0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A79F48
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A780A8
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78888
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78878
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A741F9
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78913
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A78AA8
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A7B2B0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A79A3B
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A77268
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_04A77278
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942AA98
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942C130
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942202C
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942E3C0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942F508
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942AF70
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_09422029
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_0942D450
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_094247A1
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_1290028B
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_12900040
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_129021B9
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_12900007
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_12904CC8
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00D73568
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00D75A10
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00D76770
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00DFC928
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00DF79A0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E06083
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E01108
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E054D0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E03530
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E09FD0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E0F9B9
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E0AC6E
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E0AC20
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00EF47A0
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00EF3CCC
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00EF4790
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00EF4772
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01742151
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01740470
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01742FA0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01740F90
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01744BD0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01744F79
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01744F88
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01740EF1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01742EC1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01745170
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01745160
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01745398
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01745388
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01741BD1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01743D90
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_01743D81
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_069A028B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_069A20E9
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_069A0040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_069A4A81
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_069A0006
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02712151
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02710470
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02712FA0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02710F90
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02714BD0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02710EF1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02712EC1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02714F7B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02712F09
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02714F88
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02715398
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02715388
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02715170
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02715160
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02711BD1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02713D90
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_02713D83
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544D598
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05440448
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_054454B9
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05449A40
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544AE51
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544F211
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05444AD8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05444280
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448913
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05444518
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_054441F8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544D588
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448450
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448460
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448878
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544A4FC
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448888
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_054480A8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05449F48
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544EF10
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05449F28
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05443738
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544B7D0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544B7E0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448648
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05447270
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05447278
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05444215
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05449A30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448638
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_05448AA8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0730028B
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_07300040
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_073020E9
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_07301509
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_07304C78
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_073014B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_07300007
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EAB08
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EC190
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EF518
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EAAF8
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5E4800
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EAFD0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EAFC3
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EE3D0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5E2084
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5E2080
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5EC180
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5ED4B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0A5ED4A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 24_2_029347A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 24_2_029346B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 24_2_0293D820
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_02D247A0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_02D23CCC
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_02D246B0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_02D25490
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_02D23CC0
                      Source: Order 00223342.exeBinary or memory string: set_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: get_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: chkSaveOriginalFileNames vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.217773004.00000000005C2000.00000002.00020000.sdmpBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.217773004.00000000005C2000.00000002.00020000.sdmpBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.217773004.00000000005C2000.00000002.00020000.sdmpBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameByEIjKFtfYnVZHkwWHpDIjdmhjjCobbAnTaXtW.exe4 vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.218695128.0000000000E10000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.220768013.0000000002F6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.229493870.0000000009430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.229550536.00000000094A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.234281080.0000000012720000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.234281080.0000000012720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000000.00000002.234177780.0000000012630000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: get_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: set_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: chkSaveOriginalFileNames vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000004.00000000.216040342.00000000001C2000.00000002.00020000.sdmpBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000004.00000000.216040342.00000000001C2000.00000002.00020000.sdmpBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000004.00000000.216040342.00000000001C2000.00000002.00020000.sdmpBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000004.00000002.216297134.000000000029C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: set_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: get_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: chkSaveOriginalFileNames vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000002.465804898.0000000000F1A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000000.217004851.000000000078C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000002.463591656.0000000000D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000002.461767397.0000000000B38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000000.216916289.00000000006B2000.00000002.00020000.sdmpBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000000.216916289.00000000006B2000.00000002.00020000.sdmpBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000000.216916289.00000000006B2000.00000002.00020000.sdmpBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameByEIjKFtfYnVZHkwWHpDIjdmhjjCobbAnTaXtW.exe4 vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000002.463506367.0000000000D50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Order 00223342.exe
                      Source: Order 00223342.exe, 00000005.00000002.463735108.0000000000D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: get_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: set_SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: HttpWebRequestMethodIfModifiedSinceDownloadsget_SaveThumbnailsset_SaveThumbnailsget_SaveHTMLset_SaveHTMLget_SaveOriginalFilenamesset_SaveOriginalFilenamesget_PreventDuplicatesset_PreventDuplicatesget_DownloadPathset_DownloadPathget_ScannerDelayset_ScannerDelayget_AllowFileNamesGreaterThan255set_AllowFileNamesGreaterThan255get_fchanWarningset_fchanWarningget_UseThreadNameset_UseThreadName vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: SaveOriginalFilenames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: SaveThumbnailsSaveHTMLSaveOriginalFilenamesPreventDuplicatesDownloadPathScannerDelayAllowFileNamesGreaterThan255fchanWarningUseThreadNameErrorLogReportWebExceptionWebExceptionWebsiteAddressReportExceptionExceptionIsWriteToFileWriteToFileBuffer vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: chkSaveOriginalFileNames vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: frmSettingstcMainTabControltabDownloadsTabPagenumTimerNumericUpDownlbTimerlbSavePathbtnBrowsechkMoveExistingDownloadsCheckBoxtabApplicationtabAdvancedtabResetbtnUserScriptbtnProtocolbtnSCanbtnSSavechkPreventDuplicateschkSaveOriginalFileNameschkDownloadThumbnailschkDownloadHTMLtxtSavePathchkUseFullBoardNameForTitlechkEnableUpdateschkShowExitWarningchkMinimizeToTraychkShowTrayIconttSettingsToolTipchkSaveDownloadQueueOnExitlbUserAgentchkSilenceErrorschkDisableScannerWhenOpeningSettingstxtUserAgentbtnOpenLocalFilestabRegexlbRegexInfotxtRegexlvRegexchkAllowFileNamesGreaterThan255chkMinimizeInsteadOfExitinglbRegexHintchkResetRegexSettingschkResetAdvancedSettingschkResetApplicationSettingschkResetDownloadSettingsbtnResetSettingschkEnableSettingsResetlbScanDelaySecondschkRetrieveThreadNamebtnSSave_ClickLoadSettingsSaveSettingsbtnBrowse_ClickbtnSCan_ClickbtnOpenLocalFiles_ClicklvRegex_SelectedIndexChangedtxtRegex_TextChangedchkEnableSettingsReset_CheckedChangedbtnResetSettings_Click vs Order 00223342.exe
                      Source: Order 00223342.exeBinary or memory string: OriginalFilename vs Order 00223342.exe
                      Source: Order 00223342.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Order 00223342.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: lispKbUDYY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@20/11@1/1
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile created: C:\Users\user\AppData\Roaming\lispKbUDYY.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMutant created: \Sessions\1\BaseNamedObjects\jTVJISvhdpjnf
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7A68.tmpJump to behavior
                      Source: Order 00223342.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Order 00223342.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Order 00223342.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Order 00223342.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Order 00223342.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Order 00223342.exeVirustotal: Detection: 34%
                      Source: Order 00223342.exeReversingLabs: Detection: 27%
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile read: C:\Users\user\Desktop\Order 00223342.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Order 00223342.exe 'C:\Users\user\Desktop\Order 00223342.exe'
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Users\user\Desktop\Order 00223342.exe {path}
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Users\user\Desktop\Order 00223342.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp188D.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp38A7.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp'
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Users\user\Desktop\Order 00223342.exe {path}
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Users\user\Desktop\Order 00223342.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp188D.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp38A7.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Order 00223342.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Order 00223342.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_005C2B1E push edx; iretd
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_005C25DF push ds; iretd
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_005C29F6 push edi; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 0_2_005C228F push eax; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 4_2_001C2B1E push edx; iretd
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 4_2_001C228F push eax; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 4_2_001C25DF push ds; iretd
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 4_2_001C29F6 push edi; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_006B2B1E push edx; iretd
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_006B29F6 push edi; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_006B25DF push ds; iretd
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_006B228F push eax; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00D7B457 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00D7DA86 push esi; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00DF3080 pushad ; retf
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E09176 push es; ret
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00E0D50E push ds; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_00CD25DF push ds; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_00CD29F6 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_00CD228F push eax; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 20_2_00CD2B1E push edx; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_00572B1E push edx; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_005725DF push ds; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_005729F6 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0057228F push eax; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0544D492 push ebx; retf
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 24_2_0293CF71 push esp; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_009B228F push eax; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_009B25DF push ds; iretd
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_009B29F6 push edi; ret
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 27_2_009B2B1E push edx; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.62719449376
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.62719449376
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.62719449376
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile created: C:\Users\user\AppData\Roaming\lispKbUDYY.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp'
                      Source: C:\Users\user\Desktop\Order 00223342.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\Order 00223342.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\Order 00223342.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: Order 00223342.exe PID: 1844, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6876, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6620, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Order 00223342.exe, 00000000.00000002.221018992.000000000312E000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.310980902.0000000003211000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Order 00223342.exe, 00000000.00000002.221018992.000000000312E000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.310980902.0000000003211000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\Order 00223342.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Order 00223342.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Order 00223342.exeWindow / User API: threadDelayed 3379
                      Source: C:\Users\user\Desktop\Order 00223342.exeWindow / User API: threadDelayed 6446
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 2953
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 6869
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 1115
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 8736
                      Source: C:\Users\user\Desktop\Order 00223342.exe TID: 488Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\Desktop\Order 00223342.exe TID: 5556Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Order 00223342.exe TID: 1968Thread sleep time: -19369081277395017s >= -30000s
                      Source: C:\Users\user\Desktop\Order 00223342.exe TID: 3412Thread sleep count: 3379 > 30
                      Source: C:\Users\user\Desktop\Order 00223342.exe TID: 3412Thread sleep count: 6446 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6624Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6704Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6880Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6932Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1760Thread sleep count: 31 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1760Thread sleep time: -28592453314249787s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1180Thread sleep count: 2953 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1180Thread sleep count: 6869 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5036Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 476Thread sleep count: 1115 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 476Thread sleep count: 8736 > 30
                      Source: C:\Users\user\Desktop\Order 00223342.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Order 00223342.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Order 00223342.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\Desktop\Order 00223342.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Order 00223342.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Order 00223342.exe, 00000005.00000002.475079258.0000000006465000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:O
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: kprUEGC.exe, 00000017.00000002.327794916.0000000002F84000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeCode function: 5_2_00D7F910 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Order 00223342.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeMemory written: C:\Users\user\Desktop\Order 00223342.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMemory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMemory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp'
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Users\user\Desktop\Order 00223342.exe {path}
                      Source: C:\Users\user\Desktop\Order 00223342.exeProcess created: C:\Users\user\Desktop\Order 00223342.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp188D.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp38A7.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: Order 00223342.exe, 00000005.00000002.466597174.0000000001570000.00000002.00000001.sdmp, kprUEGC.exe, 00000018.00000002.465377247.0000000001490000.00000002.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467084894.0000000001890000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Order 00223342.exe, 00000005.00000002.466597174.0000000001570000.00000002.00000001.sdmp, kprUEGC.exe, 00000018.00000002.465377247.0000000001490000.00000002.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467084894.0000000001890000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Order 00223342.exe, 00000005.00000002.466597174.0000000001570000.00000002.00000001.sdmp, kprUEGC.exe, 00000018.00000002.465377247.0000000001490000.00000002.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467084894.0000000001890000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Order 00223342.exe, 00000005.00000002.466597174.0000000001570000.00000002.00000001.sdmp, kprUEGC.exe, 00000018.00000002.465377247.0000000001490000.00000002.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467084894.0000000001890000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Users\user\Desktop\Order 00223342.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Users\user\Desktop\Order 00223342.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.460425912.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.315476006.0000000004710000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.330051191.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.460412900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6912, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Order 00223342.exe PID: 1844, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6876, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Order 00223342.exe PID: 4952, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6620, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7056, type: MEMORY
                      Source: Yara matchFile source: 20.2.kprUEGC.exe.492ec70.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Order 00223342.exe.3a5b760.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.kprUEGC.exe.4859c20.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Order 00223342.exe.3a5b760.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.3ef9c20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Order 00223342.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.3fcec70.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.3fcec70.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.kprUEGC.exe.492ec70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Order 00223342.exe.3a91980.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Order 00223342.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\Order 00223342.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6912, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Order 00223342.exe PID: 4952, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7056, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.460425912.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.315476006.0000000004710000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.330051191.0000000003DB0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.460412900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6912, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Order 00223342.exe PID: 1844, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6876, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Order 00223342.exe PID: 4952, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 6620, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 7056, type: MEMORY
                      Source: Yara matchFile source: 20.2.kprUEGC.exe.492ec70.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Order 00223342.exe.3a5b760.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.kprUEGC.exe.4859c20.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Order 00223342.exe.3a5b760.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.3ef9c20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Order 00223342.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.3fcec70.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.3fcec70.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.kprUEGC.exe.492ec70.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Order 00223342.exe.3a91980.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112File and Directory Permissions Modification1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Disable or Modify Tools1Input Capture111System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture111Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 385373 Sample: Order 00223342.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 11 other signatures 2->66 7 Order 00223342.exe 6 2->7         started        11 kprUEGC.exe 5 2->11         started        13 kprUEGC.exe 4 2->13         started        process3 file4 44 C:\Users\user\AppData\...\lispKbUDYY.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmp7A68.tmp, XML 7->46 dropped 48 C:\Users\user\...\Order 00223342.exe.log, ASCII 7->48 dropped 68 Injects a PE file into a foreign processes 7->68 15 Order 00223342.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 Order 00223342.exe 7->22         started        70 Multi AV Scanner detection for dropped file 11->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->72 74 Machine Learning detection for dropped file 11->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->76 24 schtasks.exe 1 11->24         started        26 kprUEGC.exe 11->26         started        28 kprUEGC.exe 13->28         started        30 schtasks.exe 13->30         started        signatures5 process6 dnsIp7 50 mail.afciphil.com.ph 216.239.133.246, 49743, 587 OMNISUS United States 15->50 38 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->38 dropped 40 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 15->40 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 Tries to harvest and steal ftp login credentials 15->56 58 4 other signatures 15->58 32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        42 C:\Windows\System32\drivers\etc\hosts, ASCII 28->42 dropped 36 conhost.exe 30->36         started        file8 signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Order 00223342.exe35%VirustotalBrowse
                      Order 00223342.exe27%ReversingLabsByteCode-MSIL.Trojan.Generic
                      Order 00223342.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\lispKbUDYY.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe27%ReversingLabsByteCode-MSIL.Trojan.Generic
                      C:\Users\user\AppData\Roaming\lispKbUDYY.exe27%ReversingLabsByteCode-MSIL.Trojan.Generic

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      24.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      27.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.Order 00223342.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.afciphil.com.ph1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cnX0%Avira URL Cloudsafe
                      http://www.fontbureau.comdiaF0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      https://8chan.moe/0%Avira URL Cloudsafe
                      https://api.ipify.org%e0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://HqokBq.com0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fonts.comc0%URL Reputationsafe
                      http://www.fonts.comc0%URL Reputationsafe
                      http://www.fonts.comc0%URL Reputationsafe
                      http://mail.afciphil.com.ph0%Avira URL Cloudsafe
                      https://8kun.top/0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.founder.com.cn/cnTF0%Avira URL Cloudsafe
                      https://raw.githubusercontent.com/0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      https://k0Gm8QDgO4.com0%Avira URL Cloudsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.afciphil.com.ph
                      		216.239.133.246
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Order 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, kprUEGC.exe, 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersFOrder 00223342.exe, 00000000.00000003.199851843.0000000007D9E000.00000004.00000001.sdmpfalse
                          		high
                          https://github.com/murrty/ychanex/releases/latestkprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://api.420chan.org/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnXOrder 00223342.exe, 00000000.00000003.195819262.0000000007D92000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comdiaFOrder 00223342.exe, 00000000.00000002.228398441.0000000007D90000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersXOrder 00223342.exe, 00000000.00000003.201764642.0000000007D9E000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comkprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://8chan.moe/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.ipify.org%eOrder 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.fontbureau.com/designerskprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://HqokBq.comkprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/AOrder 00223342.exe, 00000000.00000003.199851843.0000000007D9E000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/cTheOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/murrty/ychanexOrder 00223342.exe, 00000000.00000002.219512456.0000000002A21000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.310980902.0000000003211000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                          		high
                                          https://github.com/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/DPleaseOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org%GETMozilla/5.0kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		low
                                            http://www.ascendercorp.com/typedesigners.htmlOrder 00223342.exe, 00000000.00000003.198394268.0000000007DD6000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fonts.comOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnOrder 00223342.exe, 00000000.00000002.233192560.000000000B640000.00000002.00000001.sdmp, Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder 00223342.exe, 00000000.00000002.219781730.0000000002ACB000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.310980902.0000000003211000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.325342975.0000000002921000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sakkal.comOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipOrder 00223342.exe, 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000014.00000002.315476006.0000000004710000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.330051191.0000000003DB0000.00000004.00000001.sdmp, kprUEGC.exe, 00000018.00000002.460425912.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.460412900.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designerssOrder 00223342.exe, 00000000.00000003.201681390.0000000007D9C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comOrder 00223342.exe, 00000000.00000002.228398441.0000000007D90000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://DynDns.comDynDNSkprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fonts.comcOrder 00223342.exe, 00000000.00000003.194682211.0000000007DAB000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://mail.afciphil.com.phOrder 00223342.exe, 00000005.00000002.470501778.0000000002EA6000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://8kun.top/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haOrder 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, kprUEGC.exe, 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnTFOrder 00223342.exe, 00000000.00000003.195803424.0000000007DCD000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://raw.githubusercontent.com/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.carterandcone.comlOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cnOrder 00223342.exe, 00000000.00000003.196124278.0000000007D92000.00000004.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://k0Gm8QDgO4.comOrder 00223342.exe, 00000005.00000002.470501778.0000000002EA6000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.470240847.0000000002E64000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, Order 00223342.exe, 00000005.00000002.470558155.0000000002EB4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlOrder 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.monotype.Order 00223342.exe, 00000000.00000003.202959871.0000000007D9B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://a.4cdn.org/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8Order 00223342.exe, 00000000.00000002.228738440.0000000007F10000.00000002.00000001.sdmp, kprUEGC.exe, 00000014.00000002.319662498.0000000008560000.00000002.00000001.sdmp, kprUEGC.exe, 00000017.00000002.334421180.0000000007D90000.00000002.00000001.sdmpfalse
                                                              		high
                                                              https://github.com/murrty/YChanEx/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://api.github.com/repos/kprUEGC.exe, 00000017.00000002.325229593.00000000028B1000.00000004.00000001.sdmpfalse
                                                                  		high

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  216.239.133.246
                                                                  		mail.afciphil.com.phUnited States
                                                                  		19237OMNISUStrue

                                                                  General Information

                                                                  Joe Sandbox Version:31.0.0 Emerald
                                                                  Analysis ID:385373
                                                                  Start date:12.04.2021
                                                                  Start time:11:49:17
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 13m 22s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:Order 00223342.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:35
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@20/11@1/1
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 1.8% (good quality ratio 1.1%)
                                                                  • Quality average: 33.8%
                                                                  • Quality standard deviation: 33.2%
                                                                  HCA Information:
                                                                  • Successful, ratio: 97%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.64.90.137, 13.88.21.125, 20.82.209.183, 184.30.24.56, 92.122.213.194, 92.122.213.247, 20.54.26.129, 20.82.210.154
                                                                  • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  11:50:08API Interceptor668x Sleep call for process: Order 00223342.exe modified
                                                                  11:50:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  11:50:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                  11:50:48API Interceptor849x Sleep call for process: kprUEGC.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  216.239.133.246Trolley Drawing.exeGet hashmaliciousBrowse
                                                                    jrUNlORC41.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Trojan.PWS.Stealer.29660.22281.exeGet hashmaliciousBrowse
                                                                        RRC-095-20.xlsxGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          mail.afciphil.com.phTrolley Drawing.exeGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          jrUNlORC41.exeGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          SecuriteInfo.com.Trojan.PWS.Stealer.29660.22281.exeGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          RRC-095-20.xlsxGet hashmaliciousBrowse
                                                                          • 216.239.133.246

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          OMNISUSPO 210302-011.exeGet hashmaliciousBrowse
                                                                          • 216.239.136.99
                                                                          Trolley Drawing.exeGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          jrUNlORC41.exeGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          SecuriteInfo.com.Trojan.PWS.Stealer.29660.22281.exeGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          RRC-095-20.xlsxGet hashmaliciousBrowse
                                                                          • 216.239.133.246
                                                                          AhoZAxHX4t.exeGet hashmaliciousBrowse
                                                                          • 216.239.136.99
                                                                          Photo.exeGet hashmaliciousBrowse
                                                                          • 69.5.165.238

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 00223342.exe.log
                                                                          Process:C:\Users\user\Desktop\Order 00223342.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.355304211458859
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
                                                                          Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.355304211458859
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                          C:\Users\user\AppData\Local\Temp\tmp188D.tmp
                                                                          Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1643
                                                                          Entropy (8bit):5.191935006828946
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Ttn:cbh47TlNQ//rydbz9I3YODOLNdq3h
                                                                          MD5:739C83E79C02D81150605F71DF35DD14
                                                                          SHA1:D28870859AFCCB3329CB2C058EA2B111A7244EC8
                                                                          SHA-256:48FBD58CF4ABBA2117A0441C20858CE7F150EBE5DDB3730C80CD23213705AE42
                                                                          SHA-512:D78431CE045DE6C25748584DF06FA4761B5368CE0BEEC7DA1054A460E1FDE751B60BAEAB2FEDF507B14C8EC5838CA4ADF65FED1932D13A6D2E06863D8826F263
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                          C:\Users\user\AppData\Local\Temp\tmp38A7.tmp
                                                                          Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1643
                                                                          Entropy (8bit):5.191935006828946
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Ttn:cbh47TlNQ//rydbz9I3YODOLNdq3h
                                                                          MD5:739C83E79C02D81150605F71DF35DD14
                                                                          SHA1:D28870859AFCCB3329CB2C058EA2B111A7244EC8
                                                                          SHA-256:48FBD58CF4ABBA2117A0441C20858CE7F150EBE5DDB3730C80CD23213705AE42
                                                                          SHA-512:D78431CE045DE6C25748584DF06FA4761B5368CE0BEEC7DA1054A460E1FDE751B60BAEAB2FEDF507B14C8EC5838CA4ADF65FED1932D13A6D2E06863D8826F263
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                          C:\Users\user\AppData\Local\Temp\tmp7A68.tmp
                                                                          Process:C:\Users\user\Desktop\Order 00223342.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1643
                                                                          Entropy (8bit):5.191935006828946
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Ttn:cbh47TlNQ//rydbz9I3YODOLNdq3h
                                                                          MD5:739C83E79C02D81150605F71DF35DD14
                                                                          SHA1:D28870859AFCCB3329CB2C058EA2B111A7244EC8
                                                                          SHA-256:48FBD58CF4ABBA2117A0441C20858CE7F150EBE5DDB3730C80CD23213705AE42
                                                                          SHA-512:D78431CE045DE6C25748584DF06FA4761B5368CE0BEEC7DA1054A460E1FDE751B60BAEAB2FEDF507B14C8EC5838CA4ADF65FED1932D13A6D2E06863D8826F263
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                          C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          Process:C:\Users\user\Desktop\Order 00223342.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):889344
                                                                          Entropy (8bit):7.621558859822141
                                                                          Encrypted:false
                                                                          SSDEEP:12288:vixi30Q+fHfsyj9o9JMctMBgqas7/2jSvNcZlm46OLszjG25Ka/S6Pn645qZLm6g:asmsyxo95t8WQ/2oc36OAz75Kx6v645
                                                                          MD5:42FFDD434EFB48304897358B608EC54B
                                                                          SHA1:EEDF22856000A4725F04B4A104548B6CEE6D2FBE
                                                                          SHA-256:B68EC64435F531B2CF211C6012726EC96585A06AA3DA09BDE450D04C7F7754B3
                                                                          SHA-512:FC98CBD80CE1CE6CF51BD6BD8E17227C611CE0CDB3AFCBC455DAA69306FAB58F458F79952F9C57B381CF2236698BE81A3F2DD177CD966AE95862EE066580AE92
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 27%
                                                                          Reputation:low
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............0.............>.... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................({...t..........................................K%#.&.p.Z.'.8.+B..(..;...$Fjxc....h.~h,-*Z.s8n.....V.'y..h.L..i.a...3...k.U.C.`4.]..X"..)....5`.^...,..[.(.....j.vc..C..@..@.a...k.t....G.R..8H....7v..d.,.y..0J9._..WL[.-.:T..q-/2J....o.....^...gy.U0z..X+.*.h..._[{.c.Y.j..,..4..K..').O..>...x.|[n.Ld\.X..<o.V.b...T9s..}..:C....WYzj.[A.!...TE....X.`..........;..Ts^.;.hjA..EU...:.x..O..+.F..j.l.../O0B.~}... 2.v.V...k......T.A..M.+..(..FDQ.c_...=.
                                                                          C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\Order 00223342.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\AppData\Roaming\lispKbUDYY.exe
                                                                          Process:C:\Users\user\Desktop\Order 00223342.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):889344
                                                                          Entropy (8bit):7.621558859822141
                                                                          Encrypted:false
                                                                          SSDEEP:12288:vixi30Q+fHfsyj9o9JMctMBgqas7/2jSvNcZlm46OLszjG25Ka/S6Pn645qZLm6g:asmsyxo95t8WQ/2oc36OAz75Kx6v645
                                                                          MD5:42FFDD434EFB48304897358B608EC54B
                                                                          SHA1:EEDF22856000A4725F04B4A104548B6CEE6D2FBE
                                                                          SHA-256:B68EC64435F531B2CF211C6012726EC96585A06AA3DA09BDE450D04C7F7754B3
                                                                          SHA-512:FC98CBD80CE1CE6CF51BD6BD8E17227C611CE0CDB3AFCBC455DAA69306FAB58F458F79952F9C57B381CF2236698BE81A3F2DD177CD966AE95862EE066580AE92
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 27%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............0.............>.... ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................({...t..........................................K%#.&.p.Z.'.8.+B..(..;...$Fjxc....h.~h,-*Z.s8n.....V.'y..h.L..i.a...3...k.U.C.`4.]..X"..)....5`.^...,..[.(.....j.vc..C..@..@.a...k.t....G.R..8H....7v..d.,.y..0J9._..WL[.-.:T..q-/2J....o.....^...gy.U0z..X+.*.h..._[{.c.Y.j..,..4..K..').O..>...x.|[n.Ld\.X..<o.V.b...T9s..}..:C....WYzj.[A.!...TE....X.`..........;..Ts^.;.hjA..EU...:.x..O..+.F..j.l.../O0B.~}... 2.v.V...k......T.A..M.+..(..FDQ.c_...=.
                                                                          C:\Windows\System32\drivers\etc\hosts
                                                                          Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):11
                                                                          Entropy (8bit):2.663532754804255
                                                                          Encrypted:false
                                                                          SSDEEP:3:iLE:iLE
                                                                          MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                          SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                          SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                          SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                          Malicious:true
                                                                          Preview: ..127.0.0.1

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.621558859822141
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:Order 00223342.exe
                                                                          File size:889344
                                                                          MD5:42ffdd434efb48304897358b608ec54b
                                                                          SHA1:eedf22856000a4725f04b4a104548b6cee6d2fbe
                                                                          SHA256:b68ec64435f531b2cf211c6012726ec96585a06aa3da09bde450d04c7f7754b3
                                                                          SHA512:fc98cbd80ce1ce6cf51bd6bd8e17227c611ce0cdb3afcbc455daa69306fab58f458f79952f9c57b381cf2236698be81a3f2dd177cd966ae95862ee066580ae92
                                                                          SSDEEP:12288:vixi30Q+fHfsyj9o9JMctMBgqas7/2jSvNcZlm46OLszjG25Ka/S6Pn645qZLm6g:asmsyxo95t8WQ/2oc36OAz75Kx6v645
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............0.............>.... ........@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:00828e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4da63e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x6073910C [Mon Apr 12 00:15:08 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xda5e80x53.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x5c0.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xd86440xd8800False0.764776991917data7.62719449376IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xdc0000x5c00x600False0.429036458333data4.1520346235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_VERSION0xdc0a00x330data
                                                                          RT_MANIFEST0xdc3d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright Microsoft 2018
                                                                          Assembly Version1.0.0.0
                                                                          InternalName.exe
                                                                          FileVersion1.0.0.0
                                                                          CompanyNameMicrosoft
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameASCIIArt
                                                                          ProductVersion1.0.0.0
                                                                          FileDescriptionASCIIArt
                                                                          OriginalFilename.exe

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          04/12/21-11:51:58.357676TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49743587192.168.2.3216.239.133.246

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 12, 2021 11:51:56.321605921 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:56.518439054 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:56.518675089 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:57.055463076 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.055896997 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:57.251620054 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.252190113 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.255521059 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:57.451930046 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.452625036 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:57.690771103 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.722445965 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.725493908 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:57.921540976 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.942845106 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:57.943325996 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:58.152831078 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:58.153400898 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:58.349838972 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:58.357676029 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:58.357968092 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:58.358094931 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:58.358253002 CEST49743587192.168.2.3216.239.133.246
                                                                          Apr 12, 2021 11:51:58.555191994 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:58.927572966 CEST58749743216.239.133.246192.168.2.3
                                                                          Apr 12, 2021 11:51:58.980458975 CEST49743587192.168.2.3216.239.133.246

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 12, 2021 11:49:54.973064899 CEST6418553192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:49:55.033670902 CEST53641858.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:49:55.875504017 CEST6511053192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:49:55.924248934 CEST53651108.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:49:57.020560980 CEST5836153192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:49:57.069200039 CEST53583618.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:49:58.103574991 CEST6349253192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:49:58.155776978 CEST53634928.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:49:58.995887041 CEST6083153192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:49:59.044657946 CEST53608318.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:49:59.773427963 CEST6010053192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:49:59.824980021 CEST53601008.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:00.904342890 CEST5319553192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:00.954626083 CEST53531958.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:01.993021011 CEST5014153192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:02.046602011 CEST53501418.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:03.256526947 CEST5302353192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:03.305305004 CEST53530238.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:04.363629103 CEST4956353192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:04.416218996 CEST53495638.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:05.516874075 CEST5135253192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:05.568670988 CEST53513528.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:06.657063007 CEST5934953192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:06.705790997 CEST53593498.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:07.472636938 CEST5708453192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:07.522921085 CEST53570848.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:09.469845057 CEST5882353192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:09.527117014 CEST53588238.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:10.646703005 CEST5756853192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:10.695631027 CEST53575688.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:11.439820051 CEST5054053192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:11.497309923 CEST53505408.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:12.461682081 CEST5436653192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:12.510492086 CEST53543668.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:29.522186995 CEST5303453192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:29.574063063 CEST53530348.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:34.692806005 CEST5776253192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:34.757294893 CEST53577628.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:41.163749933 CEST5543553192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:41.224104881 CEST53554358.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:50:59.195167065 CEST5071353192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:50:59.262660027 CEST53507138.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:51:06.120404959 CEST5613253192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:51:06.173644066 CEST53561328.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:51:11.816077948 CEST5898753192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:51:11.874727964 CEST53589878.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:51:41.306272984 CEST5657953192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:51:41.355536938 CEST53565798.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:51:42.921767950 CEST6063353192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:51:42.996156931 CEST53606338.8.8.8192.168.2.3
                                                                          Apr 12, 2021 11:51:56.093610048 CEST6129253192.168.2.38.8.8.8
                                                                          Apr 12, 2021 11:51:56.162741899 CEST53612928.8.8.8192.168.2.3

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Apr 12, 2021 11:51:56.093610048 CEST192.168.2.38.8.8.80xadcfStandard query (0)mail.afciphil.com.phA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Apr 12, 2021 11:51:56.162741899 CEST8.8.8.8192.168.2.30xadcfNo error (0)mail.afciphil.com.ph216.239.133.246A (IP address)IN (0x0001)

                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          Apr 12, 2021 11:51:57.055463076 CEST58749743216.239.133.246192.168.2.3220 mail.guardedhost.com ESMTP Postfix Customer Mail Relay Only. Enable SMTP Authentication to send through this server. (tev-mx6)
                                                                          Apr 12, 2021 11:51:57.055896997 CEST49743587192.168.2.3216.239.133.246EHLO 045012
                                                                          Apr 12, 2021 11:51:57.252190113 CEST58749743216.239.133.246192.168.2.3250-mail.guardedhost.com
                                                                          250-PIPELINING
                                                                          250-SIZE 26214400
                                                                          250-VRFY
                                                                          250-ETRN
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-AUTH=PLAIN LOGIN
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250-DSN
                                                                          250 CHUNKING
                                                                          Apr 12, 2021 11:51:57.255521059 CEST49743587192.168.2.3216.239.133.246AUTH login aW1wb3J0ZG94X2piZXJlZG9AYWZjaXBoaWwuY29tLnBo
                                                                          Apr 12, 2021 11:51:57.451930046 CEST58749743216.239.133.246192.168.2.3334 UGFzc3dvcmQ6
                                                                          Apr 12, 2021 11:51:57.722445965 CEST58749743216.239.133.246192.168.2.3235 2.7.0 Authentication successful
                                                                          Apr 12, 2021 11:51:57.725493908 CEST49743587192.168.2.3216.239.133.246MAIL FROM:<importdox_jberedo@afciphil.com.ph>
                                                                          Apr 12, 2021 11:51:57.942845106 CEST58749743216.239.133.246192.168.2.3250 2.1.0 Ok
                                                                          Apr 12, 2021 11:51:57.943325996 CEST49743587192.168.2.3216.239.133.246RCPT TO:<importdox_jberedo@afciphil.com.ph>
                                                                          Apr 12, 2021 11:51:58.152831078 CEST58749743216.239.133.246192.168.2.3250 2.1.5 Ok
                                                                          Apr 12, 2021 11:51:58.153400898 CEST49743587192.168.2.3216.239.133.246DATA
                                                                          Apr 12, 2021 11:51:58.349838972 CEST58749743216.239.133.246192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                          Apr 12, 2021 11:51:58.358253002 CEST49743587192.168.2.3216.239.133.246.
                                                                          Apr 12, 2021 11:51:58.927572966 CEST58749743216.239.133.246192.168.2.3250 2.0.0 Ok: queued as 4FJkXt0SZYz2xYp

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: Order 00223342.exe PID: 1844 Parent PID: 5660

                                                                          General

                                                                          Start time:11:50:00
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\Desktop\Order 00223342.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\Order 00223342.exe'
                                                                          Imagebase:0x5c0000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.221038470.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 5536 Parent PID: 1844

                                                                          General

                                                                          Start time:11:50:10
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp7A68.tmp'
                                                                          Imagebase:0xf10000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 5472 Parent PID: 5536

                                                                          General

                                                                          Start time:11:50:11
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: Order 00223342.exe PID: 5960 Parent PID: 1844

                                                                          General

                                                                          Start time:11:50:11
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\Desktop\Order 00223342.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:{path}
                                                                          Imagebase:0x1c0000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low

                                                                          Analysis Process: Order 00223342.exe PID: 4952 Parent PID: 1844

                                                                          General

                                                                          Start time:11:50:12
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\Desktop\Order 00223342.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x6b0000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.460273189.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.468074126.0000000002BF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: kprUEGC.exe PID: 6620 Parent PID: 3388

                                                                          General

                                                                          Start time:11:50:45
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                                                          Imagebase:0xcd0000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.315476006.0000000004710000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 27%, ReversingLabs
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 6800 Parent PID: 6620

                                                                          General

                                                                          Start time:11:50:52
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp188D.tmp'
                                                                          Imagebase:0xa10000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6868 Parent PID: 6800

                                                                          General

                                                                          Start time:11:50:53
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: kprUEGC.exe PID: 6876 Parent PID: 3388

                                                                          General

                                                                          Start time:11:50:53
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                                                          Imagebase:0x570000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.330051191.0000000003DB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: kprUEGC.exe PID: 6912 Parent PID: 6620

                                                                          General

                                                                          Start time:11:50:54
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x5c0000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.460425912.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.466403669.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 7008 Parent PID: 6876

                                                                          General

                                                                          Start time:11:50:59
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lispKbUDYY' /XML 'C:\Users\user\AppData\Local\Temp\tmp38A7.tmp'
                                                                          Imagebase:0xa10000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 7020 Parent PID: 7008

                                                                          General

                                                                          Start time:11:51:00
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6b2800000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: kprUEGC.exe PID: 7056 Parent PID: 6876

                                                                          General

                                                                          Start time:11:51:01
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x9b0000
                                                                          File size:889344 bytes
                                                                          MD5 hash:42FFDD434EFB48304897358B608EC54B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.460412900.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.467948127.0000000002F51000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >