Windows Analysis Report 42092859-4 SOA Docs.exe

AV Detection:

Found malware configuration

Source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "Manii@sautiyapwanifm.com", "Password": "Mullardodo@#", "Host": "mail.sautiyapwanifm.com"}

Multi AV Scanner detection for submitted file

Source: 42092859-4 SOA Docs.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\xlpVvRzhctudF.exe	ReversingLabs: Detection: 39%

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 22.2.kprUEGC.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: 42092859-4 SOA Docs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 42092859-4 SOA Docs.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49806 -> 198.187.31.108:587

URLs found in memory or binary data

Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp, kprUEGC.exe, 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kprUEGC.exe, 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: kprUEGC.exe, 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp	String found in binary or memory: http://UJYCVD.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.300654522.0000000005994000.00000004.00000001.sdmp, 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.300654522.0000000005994000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com8e
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.300654522.0000000005994000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comzY6
Source: kprUEGC.exe	String found in binary or memory: http://kr.battle.net/heroes/ko/
Source: 42092859-4 SOA Docs.exe	String found in binary or memory: http://kr.battle.net/heroes/ko/?https://twitter.com/Dalsae_info9https://twitter.com/hanalen_
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.572087538.00000000036F0000.00000004.00000001.sdmp	String found in binary or memory: http://mail.sautiyapwanifm.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.345871713.0000000002A01000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.425242977.00000000028A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comI
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comh
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351099343.0000000005990000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.302299362.0000000005995000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.302114703.00000000059CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-d
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.312459238.000000000599E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.301805969.0000000005993000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304573349.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/71
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nl
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304622447.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304573349.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304573349.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/of
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304573349.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/phy/
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.304573349.000000000599A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ts
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.299684249.00000000059AB000.00000004.00000001.sdmp, 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.299684249.00000000059AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com2
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.301805969.0000000005993000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.301805969.0000000005993000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krYX
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.300702115.0000000005994000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.351522437.0000000006BA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.302767684.0000000005995000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.s1
Source: 42092859-4 SOA Docs.exe, 00000000.00000003.303014385.000000000599F000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnr-c21
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp, 42092859-4 SOA Docs.exe, 00000007.00000002.572123518.00000000036FD000.00000004.00000001.sdmp	String found in binary or memory: https://G66GBSWH7MRa.net
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: kprUEGC.exe, 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/account/verify_credentials.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/blocks/create.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/blocks/ids.json
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/direct_messages.json
Source: 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/direct_messages.jsonyhttps://api.twitter.com/1.1/friendships/no_retweets
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/create.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/destroy.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/favorites/list.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/friends/ids.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/friends/list.json
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/friendships/no_retweets/ids.json
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/friendships/update.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/destroy/
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.json
Source: 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/home_timeline.jsonahttps://upload.twitter.com/1.1/media/upload.
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/mentions_timeline.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/retweet/
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/show.json
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/
Source: 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/unretweet/whttps://api.twitter.com/1.1/statuses/mentions_timeli
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: kprUEGC.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.json
Source: 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/statuses/user_timeline.jsonwhttps://api.twitter.com/1.1/account/verify_c
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/1.1/users/lookup.json
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/oauth/access_token
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/oauth/authorize?oauth_token=
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://api.twitter.com/oauth/request_token
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://pbs.twimg.com/media/
Source: kprUEGC.exe, kprUEGC.exe, 00000016.00000000.421754467.00000000009E2000.00000002.00020000.sdmp, kprUEGC.exe, 00000017.00000002.429574200.0000000000102000.00000002.00020000.sdmp, 42092859-4 SOA Docs.exe	String found in binary or memory: https://twitter.com/
Source: kprUEGC.exe	String found in binary or memory: https://twitter.com/Dalsae_info
Source: kprUEGC.exe	String found in binary or memory: https://twitter.com/hanalen_
Source: kprUEGC.exe	String found in binary or memory: https://upload.twitter.com/1.1/media/upload.json
Source: kprUEGC.exe	String found in binary or memory: https://userstream.twitter.com/1.1/user.json
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.348742961.0000000003A09000.00000004.00000001.sdmp, 42092859-4 SOA Docs.exe, 00000007.00000002.565104268.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000010.00000002.430143517.0000000003B2F000.00000004.00000001.sdmp, kprUEGC.exe, 00000016.00000002.565038455.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp, kprUEGC.exe, 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: mail.sautiyapwanifm.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b52CA999Cu002dC71Du002d4230u002d93BBu002d3872CF433AB1u007d/u00321B91A29u002dDFF7u002d49DCu002dA2E6u002d116A69AF2530.cs

Large array initialization: .cctor: array initializer size 12054

.NET source code contains very large strings

Source: 42092859-4 SOA Docs.exe, FlowPanelManager.cs	Long String: Length: 34816
Source: xlpVvRzhctudF.exe.0.dr, FlowPanelManager.cs	Long String: Length: 34816
Source: 0.2.42092859-4 SOA Docs.exe.610000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 0.0.42092859-4 SOA Docs.exe.610000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: kprUEGC.exe.7.dr, FlowPanelManager.cs	Long String: Length: 34816
Source: 7.2.42092859-4 SOA Docs.exe.ff0000.1.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 7.0.42092859-4 SOA Docs.exe.ff0000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816
Source: 16.0.kprUEGC.exe.460000.0.unpack, FlowPanelManager.cs	Long String: Length: 34816

Uses 32bit PE files

Source: 42092859-4 SOA Docs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_0288C634		0_2_0288C634
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_0288EA78		0_2_0288EA78
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_08B9C110		0_2_08B9C110
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_08B96300		0_2_08B96300
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011BC530		7_2_011BC530
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011B9000		7_2_011B9000
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011BE070		7_2_011BE070
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011B3238		7_2_011B3238
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011B0878		7_2_011B0878
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011BE06C		7_2_011BE06C
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011BA348		7_2_011BA348
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_016D48E0		7_2_016D48E0
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_016D4898		7_2_016D4898
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_016DDE21		7_2_016DDE21
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018A6180		7_2_018A6180
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018A68B8		7_2_018A68B8
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018A5B48		7_2_018A5B48
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018AB140		7_2_018AB140
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018AC0F9		7_2_018AC0F9
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018AB81E		7_2_018AB81E
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018AB50F		7_2_018AB50F
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018AB571		7_2_018AB571
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018AB4C7		7_2_018AB4C7
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_019016F8		7_2_019016F8
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_0192D190		7_2_0192D190
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01926DF0		7_2_01926DF0
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01928D10		7_2_01928D10
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_0192B808		7_2_0192B808
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01920040		7_2_01920040
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_019237D0		7_2_019237D0
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01920006		7_2_01920006
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01925B80		7_2_01925B80
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01928600		7_2_01928600
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011B3320		7_2_011B3320
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0267C634		16_2_0267C634
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0267EA77		16_2_0267EA77
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0267EA78		16_2_0267EA78
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0852C110		16_2_0852C110
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_08526300		16_2_08526300
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_012B48E0		22_2_012B48E0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_012B47F0		22_2_012B47F0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_012BDE21		22_2_012BDE21
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_05FE6EC0		22_2_05FE6EC0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_05FE7AD8		22_2_05FE7AD8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_05FE9A98		22_2_05FE9A98
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_05FE7208		22_2_05FE7208
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_05FE2B90		22_2_05FE2B90

Sample file is different than original file name gathered from version info

Source: 42092859-4 SOA Docs.exe, 00000000.00000000.296868330.00000000006C6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePathHelp.exe> vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.345871713.0000000002A01000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdwxXlPQZydMxJmFhGELz.exe4 vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.347152120.0000000002BAE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameColladaLoader.dll4 vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.352451004.0000000008A50000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe, 00000007.00000003.558500635.0000000006D93000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePathHelp.exe> vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.567839155.0000000001777000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.565104268.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameAdwxXlPQZydMxJmFhGELz.exe4 vs 42092859-4 SOA Docs.exe
Source: 42092859-4 SOA Docs.exe	Binary or memory string: OriginalFilenamePathHelp.exe> vs 42092859-4 SOA Docs.exe

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: 42092859-4 SOA Docs.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xlpVvRzhctudF.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kprUEGC.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: 42092859-4 SOA Docs.exe

ReversingLabs: Detection: 39%

Sample reads its own file content

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File read: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 42092859-4 SOA Docs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\42092859-4 SOA Docs.exe 'C:\Users\user\Desktop\42092859-4 SOA Docs.exe'
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process created: C:\Users\user\Desktop\42092859-4 SOA Docs.exe C:\Users\user\Desktop\42092859-4 SOA Docs.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBE3.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4F.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process created: C:\Users\user\Desktop\42092859-4 SOA Docs.exe C:\Users\user\Desktop\42092859-4 SOA Docs.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBE3.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Creates files inside the user directory

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File created: C:\Users\user\AppData\Roaming\xlpVvRzhctudF.exe

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB4F.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@13/9@1/0

Reads ini files

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_01
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Mutant created: \Sessions\1\BaseNamedObjects\mLNPTFHTEO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_01

Sample might require command line arguments

Source: 42092859-4 SOA Docs.exe

String found in binary or memory: BPD9-ADd

.NET source code contains calls to encryption/decryption functions

Source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

PE file contains a COM descriptor data directory

Source: 42092859-4 SOA Docs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 42092859-4 SOA Docs.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Source: 42092859-4 SOA Docs.exe, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: xlpVvRzhctudF.exe.0.dr, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.42092859-4 SOA Docs.exe.610000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.42092859-4 SOA Docs.exe.610000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: kprUEGC.exe.7.dr, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.42092859-4 SOA Docs.exe.ff0000.1.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.42092859-4 SOA Docs.exe.ff0000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.kprUEGC.exe.460000.0.unpack, PinForm.cs	.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_00618EC1 push es; retf 0001h		0_2_00619F57
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_0288C378 pushfd ; retf 04EAh		0_2_0288DA09
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 0_2_0914447D push FFFFFF8Bh; iretd		0_2_0914447F
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_00FF8EC1 push es; retf 0001h		7_2_00FF9F57
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011BF038 pushfd ; iretd		7_2_011BF081
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_011BEF8A pushad ; iretd		7_2_011BEF91
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_018A5AA1 push es; ret		7_2_018A5AB0
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Code function: 7_2_01926641 push edx; retf		7_2_0192664E
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_00468EC1 push es; retf 0001h		16_2_00469F57
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0267C378 pushfd ; retf 0278h		16_2_0267DA09
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0267E0B0 push C80278DCh; retf		16_2_0267F8BD
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_0267F8BF push C80278DCh; retf		16_2_0267F8BD
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 16_2_08B040D5 push dword ptr [edx+ebp*2-75h]; iretd		16_2_08B040DF
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_009E8EC1 push es; retf 0001h		22_2_009E9F57
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 22_2_012BD571 push esp; iretd		22_2_012BD57D

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.37694189427
Source: initial sample	Static PE information: section name: .text entropy: 7.37694189427
Source: initial sample	Static PE information: section name: .text entropy: 7.37694189427

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File created: C:\Users\user\AppData\Roaming\xlpVvRzhctudF.exe			Jump to dropped file
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4F.tmp'

Creates an autostart registry key

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.345871713.0000000002A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.425242977.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 42092859-4 SOA Docs.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 1244, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 42092859-4 SOA Docs.exe, 00000000.00000002.345871713.0000000002A01000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 42092859-4 SOA Docs.exe, 00000000.00000002.345871713.0000000002A01000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe TID: 5800	Thread sleep time: -34036s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe TID: 4908	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe TID: 6928	Thread sleep time: -13835058055282155s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe TID: 2056	Thread sleep count: 617 > 30			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe TID: 2056	Thread sleep count: 9220 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5572	Thread sleep time: -34919s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5360	Thread sleep time: -21213755684765971s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 3652	Thread sleep count: 294 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 3652	Thread sleep count: 9539 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Window / User API: threadDelayed 617			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Window / User API: threadDelayed 9220			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Window / User API: threadDelayed 9539			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries a list of all running processes

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Thread delayed: delay time: 34036			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 34919			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: kprUEGC.exe, 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.568012781.00000000017A4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: kprUEGC.exe, 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: kprUEGC.exe, 00000010.00000002.425528335.000000000296E000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Code function: 7_2_018A0A76 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,

7_2_018A0A76

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Memory written: C:\Users\user\Desktop\42092859-4 SOA Docs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Memory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB4F.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Process created: C:\Users\user\Desktop\42092859-4 SOA Docs.exe C:\Users\user\Desktop\42092859-4 SOA Docs.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xlpVvRzhctudF' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBE3.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569170872.0000000001E70000.00000002.00020000.sdmp, kprUEGC.exe, 00000016.00000002.568943224.0000000001860000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569170872.0000000001E70000.00000002.00020000.sdmp, kprUEGC.exe, 00000016.00000002.568943224.0000000001860000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569170872.0000000001E70000.00000002.00020000.sdmp, kprUEGC.exe, 00000016.00000002.568943224.0000000001860000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 42092859-4 SOA Docs.exe, 00000007.00000002.569170872.0000000001E70000.00000002.00020000.sdmp, kprUEGC.exe, 00000016.00000002.568943224.0000000001860000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Users\user\Desktop\42092859-4 SOA Docs.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Users\user\Desktop\42092859-4 SOA Docs.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe

Code function: 22_2_05FE54CC GetUserNameW,

22_2_05FE54CC

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.kprUEGC.exe.39763d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.42092859-4 SOA Docs.exe.3ad63d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.kprUEGC.exe.39763d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.42092859-4 SOA Docs.exe.3ad63d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.430143517.0000000003B2F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.565038455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348742961.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.565104268.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.349420112.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.427926661.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 42092859-4 SOA Docs.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 42092859-4 SOA Docs.exe PID: 1316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 1244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6656, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\42092859-4 SOA Docs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 42092859-4 SOA Docs.exe PID: 1316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6656, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 7.2.42092859-4 SOA Docs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.kprUEGC.exe.39763d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.42092859-4 SOA Docs.exe.3ad63d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.kprUEGC.exe.39763d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.42092859-4 SOA Docs.exe.3ad63d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.430143517.0000000003B2F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.565038455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348742961.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.565104268.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.349420112.0000000003C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.427926661.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.569396589.0000000003381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.569246917.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 42092859-4 SOA Docs.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 42092859-4 SOA Docs.exe PID: 1316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 1244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kprUEGC.exe PID: 6656, type: MEMORYSTR