Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ADVANCE PAYMENT.exe

Overview

General Information

Sample Name:ADVANCE PAYMENT.exe
Analysis ID:412569
MD5:5f7faffd15d103a7084b067984180d68
SHA1:cf29776fce975e3e53c65efcdc28027e4f95ef45
SHA256:2fa0de4488e95a4181f2604db50bd64986571e59e184548785c9759ca945c4a9
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ADVANCE PAYMENT.exe (PID: 5792 cmdline: 'C:\Users\user\Desktop\ADVANCE PAYMENT.exe' MD5: 5F7FAFFD15D103A7084B067984180D68)
    • schtasks.exe (PID: 4652 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpE65C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kprUEGC.exe (PID: 3132 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 5F7FAFFD15D103A7084B067984180D68)
    • schtasks.exe (PID: 6032 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmp976C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kprUEGC.exe (PID: 5692 cmdline: {path} MD5: 5F7FAFFD15D103A7084B067984180D68)
  • kprUEGC.exe (PID: 5080 cmdline: 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe' MD5: 5F7FAFFD15D103A7084B067984180D68)
    • schtasks.exe (PID: 6660 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpBF19.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • kprUEGC.exe (PID: 4476 cmdline: {path} MD5: 5F7FAFFD15D103A7084B067984180D68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "info@medamanagement.com20@radihX21@Medamail.medamanagement.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            27.2.kprUEGC.exe.3fc68a0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              27.2.kprUEGC.exe.3fc68a0.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                23.2.kprUEGC.exe.44a68a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  23.2.kprUEGC.exe.44a68a0.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    27.2.kprUEGC.exe.3fc68a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "info@medamanagement.com20@radihX21@Medamail.medamanagement.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\ADIOBurIGIpulV.exeReversingLabs: Detection: 29%
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeReversingLabs: Detection: 29%
                      Source: 31.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 26.2.kprUEGC.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: ADVANCE PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ADVANCE PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.5:49737 -> 94.130.249.226:587
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: global trafficTCP traffic: 192.168.2.5:49737 -> 94.130.249.226:587
                      Source: unknownDNS traffic detected: queries for: mail.medamanagement.com
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: http://GTjlPP.com
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.499849851.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://mail.medamanagement.com
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.499849851.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://medamanagement.com
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.335098344.0000000003371000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, ADVANCE PAYMENT.exe, 00000007.00000002.499750161.0000000002E77000.00000004.00000001.sdmpString found in binary or memory: https://aDgAHsg7H4G.net
                      Source: kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%Im
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, ADVANCE PAYMENT.exe, 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, kprUEGC.exe, 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3C476D6Eu002dAF53u002d41B0u002d9111u002d8FCCDA664AC2u007d/B287A308u002d0749u002d4135u002dA242u002d834FB457DA8F.csLarge array initialization: .cctor: array initializer size 11970
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: ADVANCE PAYMENT.exe
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_00A63E47
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_0132C224
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_0132E670
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_0132E663
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053D6C28
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053D4998
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053DB220
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053D7B10
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053DF6A0
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053DF68F
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 0_2_053DB210
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 5_2_003D3E47
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 6_2_00203E47
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00883E47
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC2858
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC0040
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FCC988
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC6110
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC3A1C
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC8FC8
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC8B7F
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FCE6C0
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0103A070
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_01036778
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_01035A18
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0114449F
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_01144318
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_01148F28
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0114F5E8
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_01149778
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_01149679
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_00FA3E47
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0177C224
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0177E670
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 23_2_0177E66B
                      Source: ADVANCE PAYMENT.exeBinary or memory string: OriginalFilename vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000000.218724540.0000000000A62000.00000002.00020000.sdmpBinary or memory string: OriginalFilename2JSgpbq.exe. vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.244288795.000000000BEF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameadsHzJsNVcLmqWsYkKVApb.exe4 vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.244466902.000000000BFF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.244466902.000000000BFF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exeBinary or memory string: OriginalFilename vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000005.00000000.231354403.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename2JSgpbq.exe. vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exeBinary or memory string: OriginalFilename vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000006.00000000.232397531.0000000000202000.00000002.00020000.sdmpBinary or memory string: OriginalFilename2JSgpbq.exe. vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exeBinary or memory string: OriginalFilename vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000007.00000000.233463753.0000000000882000.00000002.00020000.sdmpBinary or memory string: OriginalFilename2JSgpbq.exe. vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.493688845.0000000001020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.493774113.0000000001040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.494423748.00000000010B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.490458318.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameadsHzJsNVcLmqWsYkKVApb.exe4 vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exeBinary or memory string: OriginalFilename2JSgpbq.exe. vs ADVANCE PAYMENT.exe
                      Source: ADVANCE PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ADVANCE PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ADIOBurIGIpulV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: kprUEGC.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@22/10@2/1
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\ADIOBurIGIpulV.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4728:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeMutant created: \Sessions\1\BaseNamedObjects\aTIWaEDodGAbO
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE65C.tmpJump to behavior
                      Source: ADVANCE PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile read: C:\Users\user\Desktop\ADVANCE PAYMENT.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe 'C:\Users\user\Desktop\ADVANCE PAYMENT.exe'
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpE65C.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmp976C.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpBF19.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpE65C.tmp'
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmp976C.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpBF19.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: ADVANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ADVANCE PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: ADVANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: ADVANCE PAYMENT.exe, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: ADIOBurIGIpulV.exe.0.dr, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.ADVANCE PAYMENT.exe.a60000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.ADVANCE PAYMENT.exe.a60000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.ADVANCE PAYMENT.exe.3d0000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.ADVANCE PAYMENT.exe.3d0000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.ADVANCE PAYMENT.exe.200000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.ADVANCE PAYMENT.exe.200000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: kprUEGC.exe.7.dr, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.ADVANCE PAYMENT.exe.880000.1.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.ADVANCE PAYMENT.exe.880000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 23.0.kprUEGC.exe.fa0000.0.unpack, FormMathSample.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: ADVANCE PAYMENT.exeStatic PE information: 0x96AA010F [Sun Feb 6 01:29:51 2050 UTC]
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FC8FC8 pushad ; retn 00D4h
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0103D57F push ebx; iretd
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0103D5CB push ebx; iretd
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0103B45F push edi; retn 0000h
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_0103D617 push ebx; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.28308223773
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.28308223773
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.28308223773
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\ADIOBurIGIpulV.exeJump to dropped file
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpE65C.tmp'
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 3132, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ADVANCE PAYMENT.exe PID: 5792, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 5080, type: MEMORY
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.2e71ba8.1.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.335098344.0000000003371000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: ADVANCE PAYMENT.exe, 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.335098344.0000000003371000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWindow / User API: threadDelayed 2972
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWindow / User API: threadDelayed 6876
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 2672
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWindow / User API: threadDelayed 7141
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exe TID: 5944Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exe TID: 5604Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exe TID: 5996Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exe TID: 5996Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exe TID: 5552Thread sleep count: 2972 > 30
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exe TID: 5552Thread sleep count: 6876 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 2900Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1100Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5972Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1632Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4720Thread sleep count: 33 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4720Thread sleep time: -30437127721620741s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5220Thread sleep count: 2672 > 30
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5220Thread sleep count: 7141 > 30
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeThread delayed: delay time: 922337203685477
                      Source: kprUEGC.exe, 0000001B.00000002.353154528.0000000001105000.00000004.00000020.sdmpBinary or memory string: VMware
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: kprUEGC.exe, 0000001B.00000002.353154528.0000000001105000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware1REAON48Win32_VideoControllerG1Z65Z99VideoController120060621000000.000000-000371123.4display.infMSBDA1K_W59SDPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMR1A3SS
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeCode function: 7_2_00FCF890 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpE65C.tmp'
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeProcess created: C:\Users\user\Desktop\ADVANCE PAYMENT.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmp976C.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpBF19.tmp'
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.495490348.00000000015E0000.00000002.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.494685738.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.495490348.00000000015E0000.00000002.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.494685738.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.495490348.00000000015E0000.00000002.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.494685738.00000000014B0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.495490348.00000000015E0000.00000002.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.494685738.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: ADVANCE PAYMENT.exe, 00000007.00000002.495490348.00000000015E0000.00000002.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.494685738.00000000014B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Users\user\Desktop\ADVANCE PAYMENT.exe VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Users\user\Desktop\ADVANCE PAYMENT.exe VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3fbcac0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 3132, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 4476, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ADVANCE PAYMENT.exe PID: 5792, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ADVANCE PAYMENT.exe PID: 4496, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 5692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 5080, type: MEMORY
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3fbcac0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\ADVANCE PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 4476, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ADVANCE PAYMENT.exe PID: 4496, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 5692, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3fbcac0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 3132, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 4476, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ADVANCE PAYMENT.exe PID: 5792, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ADVANCE PAYMENT.exe PID: 4496, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 5692, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: kprUEGC.exe PID: 5080, type: MEMORY
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.kprUEGC.exe.3fc68a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.kprUEGC.exe.44a68a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.ADVANCE PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3fbcac0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ADVANCE PAYMENT.exe.3f868a0.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation311Scheduled Task/Job1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Disable or Modify Tools1Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSecurity Software Discovery421Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsVirtualization/Sandbox Evasion241VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion241Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 412569 Sample: ADVANCE PAYMENT.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Yara detected AgentTesla 2->66 68 10 other signatures 2->68 7 ADVANCE PAYMENT.exe 6 2->7         started        10 kprUEGC.exe 5 2->10         started        13 kprUEGC.exe 4 2->13         started        process3 file4 46 C:\Users\user\AppData\...\ADIOBurIGIpulV.exe, PE32 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmpE65C.tmp, XML 7->48 dropped 15 ADVANCE PAYMENT.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 ADVANCE PAYMENT.exe 7->22         started        24 ADVANCE PAYMENT.exe 7->24         started        70 Multi AV Scanner detection for dropped file 10->70 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->76 26 schtasks.exe 1 10->26         started        28 kprUEGC.exe 2 10->28         started        30 kprUEGC.exe 13->30         started        32 schtasks.exe 13->32         started        signatures5 process6 dnsIp7 50 medamanagement.com 94.130.249.226, 49737, 587 HETZNER-ASDE Germany 15->50 52 mail.medamanagement.com 15->52 40 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->40 dropped 42 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 15->42 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->54 56 Tries to steal Mail credentials (via file access) 15->56 58 Tries to harvest and steal ftp login credentials 15->58 60 4 other signatures 15->60 34 conhost.exe 20->34         started        36 conhost.exe 26->36         started        44 C:\Windows\System32\drivers\etc\hosts, ASCII 30->44 dropped 38 conhost.exe 32->38         started        file8 signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\ADIOBurIGIpulV.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      31.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      26.2.kprUEGC.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      7.2.ADVANCE PAYMENT.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://mail.medamanagement.com0%Avira URL Cloudsafe
                      https://api.ipify.org%Im0%Avira URL Cloudsafe
                      http://medamanagement.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://aDgAHsg7H4G.net0%Avira URL Cloudsafe
                      http://GTjlPP.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      medamanagement.com
                      		94.130.249.226
                      		truetrue
                        		unknown
                        mail.medamanagement.com
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1ADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://api.ipify.org%GETMozilla/5.0kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          http://DynDns.comDynDNSkprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://mail.medamanagement.comADVANCE PAYMENT.exe, 00000007.00000002.499849851.0000000002E81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%ImADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://medamanagement.comADVANCE PAYMENT.exe, 00000007.00000002.499849851.0000000002E81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, kprUEGC.exe, 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameADVANCE PAYMENT.exe, 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmp, kprUEGC.exe, 00000017.00000002.335098344.0000000003371000.00000004.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.354627256.0000000002E91000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipADVANCE PAYMENT.exe, 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, ADVANCE PAYMENT.exe, 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, kprUEGC.exe, 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, kprUEGC.exe, 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://aDgAHsg7H4G.netADVANCE PAYMENT.exe, 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, ADVANCE PAYMENT.exe, 00000007.00000002.499750161.0000000002E77000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://GTjlPP.comkprUEGC.exe, 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            94.130.249.226
                            		medamanagement.comGermany
                            		24940HETZNER-ASDEtrue

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:412569
                            Start date:12.05.2021
                            Start time:19:28:22
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 18s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:ADVANCE PAYMENT.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:40
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@22/10@2/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Excluded IPs from analysis (whitelisted): 13.64.90.137, 131.253.33.200, 13.107.22.200, 20.50.102.62, 13.88.21.125, 92.122.145.220, 104.43.193.48, 184.30.24.56, 20.82.210.154, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.143.16, 20.82.209.183, 52.155.217.156, 20.54.26.129
                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            19:29:11API Interceptor746x Sleep call for process: ADVANCE PAYMENT.exe modified
                            19:29:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                            19:29:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                            19:29:56API Interceptor307x Sleep call for process: kprUEGC.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            94.130.249.226COPY OF N-N.exeGet hashmaliciousBrowse
                              BANK ACCOUNT DETAILS.exeGet hashmaliciousBrowse
                                SWIFT COPY FOR ADVANCE PAYMENT.exeGet hashmaliciousBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  HETZNER-ASDE3c7a62a5_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  169f7aa7_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  b48fbc98_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  c9d6dad1_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  1c739085_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  3175e64e_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  b0874db7_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  7de2731b_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  7e6e1ce6_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  b1a617df_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  65e41f56_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  c9a3f59c_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  ea71ab3c_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  57ec04bd_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  b7beb1c5_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  1b21ec17_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  ef063a1f_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  fba1ed56_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  0143c381_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206
                                  f41e2082_by_Libranalysis.dllGet hashmaliciousBrowse
                                  • 188.40.137.206

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADVANCE PAYMENT.exe.log
                                  Process:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1308
                                  Entropy (8bit):5.345811588615766
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
                                  Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1308
                                  Entropy (8bit):5.345811588615766
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                  C:\Users\user\AppData\Local\Temp\tmp976C.tmp
                                  Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1651
                                  Entropy (8bit):5.1739352103291605
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBoOtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3uo
                                  MD5:619181DD0CFD5F56A0E445667A51A3AB
                                  SHA1:1148EF77873328CA532ED3048122D9A2A2013089
                                  SHA-256:050D326ABF9F696DA3DEC6C73E35FBDFB44F167AA288E4A6CAEC384AA5BB2031
                                  SHA-512:6F0D6BB5CC7938F02AAC182EFAEFED6F33850FF17E5DEBBA73EA0451FCDF5D1C1E4018B05250F2AB9547249A31F7E5BE340AF4BF6D84A1FCC21F97CC6EE8C9D2
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                  C:\Users\user\AppData\Local\Temp\tmpBF19.tmp
                                  Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1651
                                  Entropy (8bit):5.1739352103291605
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBoOtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3uo
                                  MD5:619181DD0CFD5F56A0E445667A51A3AB
                                  SHA1:1148EF77873328CA532ED3048122D9A2A2013089
                                  SHA-256:050D326ABF9F696DA3DEC6C73E35FBDFB44F167AA288E4A6CAEC384AA5BB2031
                                  SHA-512:6F0D6BB5CC7938F02AAC182EFAEFED6F33850FF17E5DEBBA73EA0451FCDF5D1C1E4018B05250F2AB9547249A31F7E5BE340AF4BF6D84A1FCC21F97CC6EE8C9D2
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                  C:\Users\user\AppData\Local\Temp\tmpE65C.tmp
                                  Process:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1651
                                  Entropy (8bit):5.1739352103291605
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBoOtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3uo
                                  MD5:619181DD0CFD5F56A0E445667A51A3AB
                                  SHA1:1148EF77873328CA532ED3048122D9A2A2013089
                                  SHA-256:050D326ABF9F696DA3DEC6C73E35FBDFB44F167AA288E4A6CAEC384AA5BB2031
                                  SHA-512:6F0D6BB5CC7938F02AAC182EFAEFED6F33850FF17E5DEBBA73EA0451FCDF5D1C1E4018B05250F2AB9547249A31F7E5BE340AF4BF6D84A1FCC21F97CC6EE8C9D2
                                  Malicious:true
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                  C:\Users\user\AppData\Roaming\ADIOBurIGIpulV.exe
                                  Process:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):747008
                                  Entropy (8bit):7.281492253868151
                                  Encrypted:false
                                  SSDEEP:12288:nLxvoLLoS60/K7yh0ZJo5olwIHZJV41sbLmYsQc91hMsSJdnidPPU5ce2:nZoLAkAwC41sxsxhMsAiSb2
                                  MD5:5F7FAFFD15D103A7084B067984180D68
                                  SHA1:CF29776FCE975E3E53C65EFCDC28027E4F95EF45
                                  SHA-256:2FA0DE4488E95A4181F2604DB50BD64986571E59E184548785C9759CA945C4A9
                                  SHA-512:07C81E65D3B6C8232A195C45B6C8A1F6135CCDEDC4234803BBA927BB8EA0804E7716174861E140F22A858FADA7B1B52C2129DAD63035A98F47B2F6029462BDA9
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 30%
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..\...........z... ........@.. ....................................@.................................lz..O...................................Pz............................................... ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H.......0`..Pp.........................................................".(.....*^..}.....(.......(.....*....0.............{....o......(.........,..r...p(....&.Yr'..p.rc..p(....s......o....&ri..p(....&.{....r...po ..........o!...(".....o!...(....&...*.........de........*&..(#....*R..(#....s>...($....*...0..+.........,..{.......+....,...{....o%.......(&....*..0............s'...}.....s(...}.....s)...}.....s*...}.....s+...}.....s+...}.....s+...}.....{....o,.....(,.....{.....o-..
                                  C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  Process:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):747008
                                  Entropy (8bit):7.281492253868151
                                  Encrypted:false
                                  SSDEEP:12288:nLxvoLLoS60/K7yh0ZJo5olwIHZJV41sbLmYsQc91hMsSJdnidPPU5ce2:nZoLAkAwC41sxsxhMsAiSb2
                                  MD5:5F7FAFFD15D103A7084B067984180D68
                                  SHA1:CF29776FCE975E3E53C65EFCDC28027E4F95EF45
                                  SHA-256:2FA0DE4488E95A4181F2604DB50BD64986571E59E184548785C9759CA945C4A9
                                  SHA-512:07C81E65D3B6C8232A195C45B6C8A1F6135CCDEDC4234803BBA927BB8EA0804E7716174861E140F22A858FADA7B1B52C2129DAD63035A98F47B2F6029462BDA9
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 30%
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..\...........z... ........@.. ....................................@.................................lz..O...................................Pz............................................... ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H.......0`..Pp.........................................................".(.....*^..}.....(.......(.....*....0.............{....o......(.........,..r...p(....&.Yr'..p.rc..p(....s......o....&ri..p(....&.{....r...po ..........o!...(".....o!...(....&...*.........de........*&..(#....*R..(#....s>...($....*...0..+.........,..{.......+....,...{....o%.......(&....*..0............s'...}.....s(...}.....s)...}.....s*...}.....s+...}.....s+...}.....s+...}.....{....o,.....(,.....{.....o-..
                                  C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview: [ZoneTransfer]....ZoneId=0
                                  C:\Windows\System32\drivers\etc\hosts
                                  Process:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):11
                                  Entropy (8bit):2.663532754804255
                                  Encrypted:false
                                  SSDEEP:3:iLE:iLE
                                  MD5:B24D295C1F84ECBFB566103374FB91C5
                                  SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                  SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                  SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                  Malicious:true
                                  Preview: ..127.0.0.1

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.281492253868151
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:ADVANCE PAYMENT.exe
                                  File size:747008
                                  MD5:5f7faffd15d103a7084b067984180d68
                                  SHA1:cf29776fce975e3e53c65efcdc28027e4f95ef45
                                  SHA256:2fa0de4488e95a4181f2604db50bd64986571e59e184548785c9759ca945c4a9
                                  SHA512:07c81e65d3b6c8232a195c45b6c8a1f6135ccdedc4234803bba927bb8ea0804e7716174861e140f22a858fada7b1b52c2129dad63035a98f47b2f6029462bda9
                                  SSDEEP:12288:nLxvoLLoS60/K7yh0ZJo5olwIHZJV41sbLmYsQc91hMsSJdnidPPU5ce2:nZoLAkAwC41sxsxhMsAiSb2
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..\...........z... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4b7abe
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x96AA010F [Sun Feb 6 01:29:51 2050 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb7a6c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x59c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb7a500x1c.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xb5ac40xb5c00False0.725346834164data7.28308223773IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0xb80000x59c0x600False0.419921875data4.06910086836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xba0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0xb80900x30cdata
                                  RT_MANIFEST0xb83ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2019
                                  Assembly Version1.0.0.0
                                  InternalName2JSgpbq.exe
                                  FileVersion1.0.0.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductNamePencil
                                  ProductVersion1.0.0.0
                                  FileDescriptionPencil
                                  OriginalFilename2JSgpbq.exe

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 12, 2021 19:31:05.630732059 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:05.700001955 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:05.700243950 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:05.784383059 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:05.784930944 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:05.855249882 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:05.857615948 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:05.928811073 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:05.929619074 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:06.038675070 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:07.525000095 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:07.526365042 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:07.595570087 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:07.595876932 CEST5874973794.130.249.226192.168.2.5
                                  May 12, 2021 19:31:07.595973015 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:07.600446939 CEST49737587192.168.2.594.130.249.226
                                  May 12, 2021 19:31:07.671339035 CEST5874973794.130.249.226192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 12, 2021 19:29:01.409590006 CEST6530753192.168.2.58.8.8.8
                                  May 12, 2021 19:29:01.457051039 CEST6434453192.168.2.58.8.8.8
                                  May 12, 2021 19:29:01.458488941 CEST53653078.8.8.8192.168.2.5
                                  May 12, 2021 19:29:01.491046906 CEST6206053192.168.2.58.8.8.8
                                  May 12, 2021 19:29:01.530342102 CEST53643448.8.8.8192.168.2.5
                                  May 12, 2021 19:29:01.556109905 CEST53620608.8.8.8192.168.2.5
                                  May 12, 2021 19:29:02.507740021 CEST6180553192.168.2.58.8.8.8
                                  May 12, 2021 19:29:02.556539059 CEST53618058.8.8.8192.168.2.5
                                  May 12, 2021 19:29:03.666384935 CEST5479553192.168.2.58.8.8.8
                                  May 12, 2021 19:29:03.715910912 CEST53547958.8.8.8192.168.2.5
                                  May 12, 2021 19:29:04.786247969 CEST4955753192.168.2.58.8.8.8
                                  May 12, 2021 19:29:04.835269928 CEST53495578.8.8.8192.168.2.5
                                  May 12, 2021 19:29:04.879534960 CEST6173353192.168.2.58.8.8.8
                                  May 12, 2021 19:29:04.940094948 CEST53617338.8.8.8192.168.2.5
                                  May 12, 2021 19:29:06.712596893 CEST6544753192.168.2.58.8.8.8
                                  May 12, 2021 19:29:06.763154030 CEST53654478.8.8.8192.168.2.5
                                  May 12, 2021 19:29:07.939219952 CEST5244153192.168.2.58.8.8.8
                                  May 12, 2021 19:29:07.990004063 CEST53524418.8.8.8192.168.2.5
                                  May 12, 2021 19:29:09.240782976 CEST6217653192.168.2.58.8.8.8
                                  May 12, 2021 19:29:09.298485994 CEST53621768.8.8.8192.168.2.5
                                  May 12, 2021 19:29:10.385736942 CEST5959653192.168.2.58.8.8.8
                                  May 12, 2021 19:29:10.438246965 CEST53595968.8.8.8192.168.2.5
                                  May 12, 2021 19:29:12.592395067 CEST6529653192.168.2.58.8.8.8
                                  May 12, 2021 19:29:12.644021034 CEST53652968.8.8.8192.168.2.5
                                  May 12, 2021 19:29:13.842453003 CEST6318353192.168.2.58.8.8.8
                                  May 12, 2021 19:29:13.891094923 CEST53631838.8.8.8192.168.2.5
                                  May 12, 2021 19:29:15.166038036 CEST6015153192.168.2.58.8.8.8
                                  May 12, 2021 19:29:15.217531919 CEST53601518.8.8.8192.168.2.5
                                  May 12, 2021 19:29:30.787345886 CEST5696953192.168.2.58.8.8.8
                                  May 12, 2021 19:29:30.876152039 CEST53569698.8.8.8192.168.2.5
                                  May 12, 2021 19:29:36.941909075 CEST5516153192.168.2.58.8.8.8
                                  May 12, 2021 19:29:37.022655010 CEST53551618.8.8.8192.168.2.5
                                  May 12, 2021 19:29:46.651103020 CEST5475753192.168.2.58.8.8.8
                                  May 12, 2021 19:29:46.710347891 CEST53547578.8.8.8192.168.2.5
                                  May 12, 2021 19:29:56.695102930 CEST4999253192.168.2.58.8.8.8
                                  May 12, 2021 19:29:56.758189917 CEST53499928.8.8.8192.168.2.5
                                  May 12, 2021 19:30:13.790872097 CEST6007553192.168.2.58.8.8.8
                                  May 12, 2021 19:30:13.865329981 CEST53600758.8.8.8192.168.2.5
                                  May 12, 2021 19:30:23.026396036 CEST5501653192.168.2.58.8.8.8
                                  May 12, 2021 19:30:23.085515976 CEST53550168.8.8.8192.168.2.5
                                  May 12, 2021 19:30:45.345563889 CEST6434553192.168.2.58.8.8.8
                                  May 12, 2021 19:30:45.480214119 CEST53643458.8.8.8192.168.2.5
                                  May 12, 2021 19:30:46.154416084 CEST5712853192.168.2.58.8.8.8
                                  May 12, 2021 19:30:46.214062929 CEST53571288.8.8.8192.168.2.5
                                  May 12, 2021 19:30:46.848700047 CEST5479153192.168.2.58.8.8.8
                                  May 12, 2021 19:30:47.007949114 CEST53547918.8.8.8192.168.2.5
                                  May 12, 2021 19:30:47.447452068 CEST5046353192.168.2.58.8.8.8
                                  May 12, 2021 19:30:47.491097927 CEST5039453192.168.2.58.8.8.8
                                  May 12, 2021 19:30:47.515821934 CEST53504638.8.8.8192.168.2.5
                                  May 12, 2021 19:30:47.548773050 CEST53503948.8.8.8192.168.2.5
                                  May 12, 2021 19:30:48.169991016 CEST5853053192.168.2.58.8.8.8
                                  May 12, 2021 19:30:48.227147102 CEST53585308.8.8.8192.168.2.5
                                  May 12, 2021 19:30:48.815660954 CEST5381353192.168.2.58.8.8.8
                                  May 12, 2021 19:30:48.867316008 CEST53538138.8.8.8192.168.2.5
                                  May 12, 2021 19:30:49.376791954 CEST6373253192.168.2.58.8.8.8
                                  May 12, 2021 19:30:49.530723095 CEST53637328.8.8.8192.168.2.5
                                  May 12, 2021 19:30:50.583528996 CEST5734453192.168.2.58.8.8.8
                                  May 12, 2021 19:30:50.643418074 CEST53573448.8.8.8192.168.2.5
                                  May 12, 2021 19:30:51.801578999 CEST5445053192.168.2.58.8.8.8
                                  May 12, 2021 19:30:51.858509064 CEST53544508.8.8.8192.168.2.5
                                  May 12, 2021 19:30:52.420274973 CEST5926153192.168.2.58.8.8.8
                                  May 12, 2021 19:30:52.471354961 CEST53592618.8.8.8192.168.2.5
                                  May 12, 2021 19:31:04.962460995 CEST5715153192.168.2.58.8.8.8
                                  May 12, 2021 19:31:05.029449940 CEST53571518.8.8.8192.168.2.5
                                  May 12, 2021 19:31:05.441067934 CEST5941353192.168.2.58.8.8.8
                                  May 12, 2021 19:31:05.498018026 CEST53594138.8.8.8192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  May 12, 2021 19:31:04.962460995 CEST192.168.2.58.8.8.80x351eStandard query (0)mail.medamanagement.comA (IP address)IN (0x0001)
                                  May 12, 2021 19:31:05.441067934 CEST192.168.2.58.8.8.80x1388Standard query (0)mail.medamanagement.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 12, 2021 19:31:05.029449940 CEST8.8.8.8192.168.2.50x351eNo error (0)mail.medamanagement.commedamanagement.comCNAME (Canonical name)IN (0x0001)
                                  May 12, 2021 19:31:05.029449940 CEST8.8.8.8192.168.2.50x351eNo error (0)medamanagement.com94.130.249.226A (IP address)IN (0x0001)
                                  May 12, 2021 19:31:05.498018026 CEST8.8.8.8192.168.2.50x1388No error (0)mail.medamanagement.commedamanagement.comCNAME (Canonical name)IN (0x0001)
                                  May 12, 2021 19:31:05.498018026 CEST8.8.8.8192.168.2.50x1388No error (0)medamanagement.com94.130.249.226A (IP address)IN (0x0001)

                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  May 12, 2021 19:31:05.784383059 CEST5874973794.130.249.226192.168.2.5220-xenophon.alexandreia.com ESMTP Exim 4.94.2 #2 Wed, 12 May 2021 20:31:05 +0300
                                  220-We do not authorize the use of this system to transport unsolicited,
                                  220 and/or bulk e-mail.
                                  May 12, 2021 19:31:05.784930944 CEST49737587192.168.2.594.130.249.226EHLO 579569
                                  May 12, 2021 19:31:05.855249882 CEST5874973794.130.249.226192.168.2.5250-xenophon.alexandreia.com Hello 579569 [84.17.52.78]
                                  250-SIZE 52428800
                                  250-8BITMIME
                                  250-PIPELINING
                                  250-PIPE_CONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-STARTTLS
                                  250 HELP
                                  May 12, 2021 19:31:05.857615948 CEST49737587192.168.2.594.130.249.226AUTH login aW5mb0BtZWRhbWFuYWdlbWVudC5jb20=
                                  May 12, 2021 19:31:05.928811073 CEST5874973794.130.249.226192.168.2.5334 UGFzc3dvcmQ6
                                  May 12, 2021 19:31:07.525000095 CEST5874973794.130.249.226192.168.2.5535 Incorrect authentication data
                                  May 12, 2021 19:31:07.526365042 CEST49737587192.168.2.594.130.249.226MAIL FROM:<info@medamanagement.com>
                                  May 12, 2021 19:31:07.595570087 CEST5874973794.130.249.226192.168.2.5550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: ADVANCE PAYMENT.exe PID: 5792 Parent PID: 5620

                                  General

                                  Start time:19:29:08
                                  Start date:12/05/2021
                                  Path:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\ADVANCE PAYMENT.exe'
                                  Imagebase:0xa60000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.235733072.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.238500128.0000000003E59000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 4652 Parent PID: 5792

                                  General

                                  Start time:19:29:13
                                  Start date:12/05/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpE65C.tmp'
                                  Imagebase:0xa60000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 4728 Parent PID: 4652

                                  General

                                  Start time:19:29:14
                                  Start date:12/05/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7ecfc0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: ADVANCE PAYMENT.exe PID: 4584 Parent PID: 5792

                                  General

                                  Start time:19:29:14
                                  Start date:12/05/2021
                                  Path:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x3d0000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  Analysis Process: ADVANCE PAYMENT.exe PID: 2968 Parent PID: 5792

                                  General

                                  Start time:19:29:15
                                  Start date:12/05/2021
                                  Path:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x200000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  Analysis Process: ADVANCE PAYMENT.exe PID: 4496 Parent PID: 5792

                                  General

                                  Start time:19:29:15
                                  Start date:12/05/2021
                                  Path:C:\Users\user\Desktop\ADVANCE PAYMENT.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x880000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.496550935.0000000002BC1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.488696376.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: kprUEGC.exe PID: 3132 Parent PID: 3472

                                  General

                                  Start time:19:29:52
                                  Start date:12/05/2021
                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                  Imagebase:0xfa0000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.337399242.0000000004379000.00000004.00000001.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 30%, ReversingLabs
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 6032 Parent PID: 3132

                                  General

                                  Start time:19:29:59
                                  Start date:12/05/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmp976C.tmp'
                                  Imagebase:0xf40000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 5596 Parent PID: 6032

                                  General

                                  Start time:19:29:59
                                  Start date:12/05/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7ecfc0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: kprUEGC.exe PID: 5692 Parent PID: 3132

                                  General

                                  Start time:19:30:00
                                  Start date:12/05/2021
                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x9b0000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001A.00000002.357183186.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.359274645.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: kprUEGC.exe PID: 5080 Parent PID: 3472

                                  General

                                  Start time:19:30:01
                                  Start date:12/05/2021
                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
                                  Imagebase:0x960000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001B.00000002.356573819.0000000003E99000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 6660 Parent PID: 5080

                                  General

                                  Start time:19:30:09
                                  Start date:12/05/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ADIOBurIGIpulV' /XML 'C:\Users\user\AppData\Local\Temp\tmpBF19.tmp'
                                  Imagebase:0xf40000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 6608 Parent PID: 6660

                                  General

                                  Start time:19:30:09
                                  Start date:12/05/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7ecfc0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: kprUEGC.exe PID: 4476 Parent PID: 5080

                                  General

                                  Start time:19:30:10
                                  Start date:12/05/2021
                                  Path:C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x450000
                                  File size:747008 bytes
                                  MD5 hash:5F7FAFFD15D103A7084B067984180D68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000002.488341768.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.495714599.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Disassembly

                                  Code Analysis

                                  Reset < >