Windows Analysis Report SlipMT103.exe

Overview

General Information

Sample Name: SlipMT103.exe
Analysis ID: 528729
MD5: 5cbac1b17cef2bc95f5b18f87ec1de49
SHA1: 85d362c8463eaaf6c071414f741f32bd4cc51f0c
SHA256: 29291b4fb097c75dc3ecf4787a03175ec150319e9ab97a96b6084d1fe2dae2a5
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.0.SlipMT103.exe.400000.12.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "administracion@aquanova.es", "Password": "Aquaribe2419*", "Host": "mail.aquanova.es"}
Multi AV Scanner detection for submitted file
Source: SlipMT103.exe ReversingLabs: Detection: 40%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe ReversingLabs: Detection: 40%
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.SlipMT103.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.kprUEGC.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.kprUEGC.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.SlipMT103.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.SlipMT103.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.kprUEGC.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.SlipMT103.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.kprUEGC.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.SlipMT103.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 12.2.kprUEGC.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 12.0.kprUEGC.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.SlipMT103.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: SlipMT103.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SlipMT103.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49830 -> 51.83.52.225:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.83.52.225 51.83.52.225
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49830 -> 51.83.52.225:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49830 -> 51.83.52.225:587
Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SlipMT103.exe, 00000001.00000002.628274243.0000000002AAE000.00000004.00000001.sdmp String found in binary or memory: http://3jx9Nc9mcrIeyBPlhe.org
Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: http://DrWvWz.com
Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: kprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/Views/MainWindow.xaml
Source: kprUEGC.exe, 0000000D.00000002.455081302.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: http://foo/Views/MainWindow.xaml
Source: SlipMT103.exe, 00000001.00000002.628449891.0000000002AFF000.00000004.00000001.sdmp String found in binary or memory: http://mail.aquanova.es
Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, SlipMT103.exe, 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SlipMT103.exe, 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, kprUEGC.exe, 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: mail.aquanova.es

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: SlipMT103.exe, 00000000.00000002.359649304.0000000000D9B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\SlipMT103.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.0.SlipMT103.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.cs Large array initialization: .cctor: array initializer size 11963
Source: 1.2.SlipMT103.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.cs Large array initialization: .cctor: array initializer size 11963
Source: 1.0.SlipMT103.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.cs Large array initialization: .cctor: array initializer size 11963
Source: 1.0.SlipMT103.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b63122FA5u002d5709u002d4B59u002dB007u002dC8CBD87FA871u007d/u00307651BC3u002d27A7u002d47FFu002dA50Au002d5D7213AA2347.cs Large array initialization: .cctor: array initializer size 11963
Uses 32bit PE files
Source: SlipMT103.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_00685C24 0_2_00685C24
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_00686DBD 0_2_00686DBD
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_01108250 0_2_01108250
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_0110D2F8 0_2_0110D2F8
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_0528F538 0_2_0528F538
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00456DBD 1_2_00456DBD
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_0093CC88 1_2_0093CC88
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00934130 1_2_00934130
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00939528 1_2_00939528
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_009316ED 1_2_009316ED
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00934BD8 1_2_00934BD8
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_0093CC29 1_2_0093CC29
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_009345B8 1_2_009345B8
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B8ED30 1_2_00B8ED30
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B82618 1_2_00B82618
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B8CE40 1_2_00B8CE40
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B81FF0 1_2_00B81FF0
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B8ED78 1_2_00B8ED78
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B88FF8 1_2_00B88FF8
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00C285E0 1_2_00C285E0
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00C21620 1_2_00C21620
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00C296B0 1_2_00C296B0
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00C26AF8 1_2_00C26AF8
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00C27CF0 1_2_00C27CF0
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00C21F90 1_2_00C21F90
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00CAA228 1_2_00CAA228
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00CA3764 1_2_00CA3764
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_027347A0 1_2_027347A0
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_02733CCC 1_2_02733CCC
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_027346B0 1_2_027346B0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_00EE5C24 10_2_00EE5C24
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_00EE6DBD 10_2_00EE6DBD
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_01778250 10_2_01778250
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_0177D2F8 10_2_0177D2F8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_059BF538 10_2_059BF538
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_059B5AB0 10_2_059B5AB0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_059B5AA0 10_2_059B5AA0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 12_2_00726DBD 12_2_00726DBD
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 12_2_04F047A0 12_2_04F047A0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 12_2_04F046B0 12_2_04F046B0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 13_2_00976DBD 13_2_00976DBD
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 13_2_00975C24 13_2_00975C24
Sample file is different than original file name gathered from version info
Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.363621555.0000000005A00000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.359463739.0000000000700000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.364091388.0000000005F80000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs SlipMT103.exe
Source: SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs SlipMT103.exe
Source: SlipMT103.exe, 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCHSfumdsoSQKEDPbMIzAYpYIlMWkeKqWpKhYN.exe4 vs SlipMT103.exe
Source: SlipMT103.exe, 00000001.00000000.355626536.00000000004D0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
Source: SlipMT103.exe, 00000001.00000002.621068774.00000000008F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SlipMT103.exe
Source: SlipMT103.exe Binary or memory string: OriginalFilenameIArraySortHelp.exe. vs SlipMT103.exe
Source: SlipMT103.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kprUEGC.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SlipMT103.exe ReversingLabs: Detection: 40%
Source: C:\Users\user\Desktop\SlipMT103.exe File read: C:\Users\user\Desktop\SlipMT103.exe:Zone.Identifier Jump to behavior
Source: SlipMT103.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SlipMT103.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SlipMT103.exe "C:\Users\user\Desktop\SlipMT103.exe"
Source: C:\Users\user\Desktop\SlipMT103.exe Process created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Source: C:\Users\user\Desktop\SlipMT103.exe Process created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SlipMT103.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SlipMT103.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlipMT103.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@7/5@1/1
Source: C:\Users\user\Desktop\SlipMT103.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: SlipMT103.exe String found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
Source: SlipMT103.exe String found in binary or memory: views/addbook.baml
Source: SlipMT103.exe String found in binary or memory: views/addcustomer.baml
Source: SlipMT103.exe String found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
Source: SlipMT103.exe String found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
Source: SlipMT103.exe String found in binary or memory: views/addbook.baml
Source: SlipMT103.exe String found in binary or memory: views/addcustomer.baml
Source: SlipMT103.exe String found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
Source: kprUEGC.exe String found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
Source: kprUEGC.exe String found in binary or memory: views/addcustomer.baml
Source: kprUEGC.exe String found in binary or memory: views/addbook.baml
Source: kprUEGC.exe String found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
Source: kprUEGC.exe String found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
Source: kprUEGC.exe String found in binary or memory: views/addbook.baml
Source: kprUEGC.exe String found in binary or memory: views/addcustomer.baml
Source: kprUEGC.exe String found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
Source: kprUEGC.exe String found in binary or memory: /IArraySortHelp;component/views/addbook.xaml
Source: kprUEGC.exe String found in binary or memory: views/addcustomer.baml
Source: kprUEGC.exe String found in binary or memory: views/addbook.baml
Source: kprUEGC.exe String found in binary or memory: /IArraySortHelp;component/views/addcustomer.xaml
Source: SlipMT103.exe String found in binary or memory: Y/IArraySortHelp;component/views/addbook.xamlo/IArraySortHelp;component/views/borrowfrombookview.xamle/IArraySortHelp;component/views/borrowingview.xaml_/IArraySortHelp;component/views/changebook.xamlg/IArraySortHelp;component/views/changecustomer.xamlc/IArraySortHelp;component/views/customerview.xamlg/IArraySortHelp;component/views/deletecustomer.xaml]/IArraySortHelp;component/views/errorview.xamla/IArraySortHelp;component/views/smallextras.xamla/IArraySortHelp;component/views/addcustomer.xaml
Source: SlipMT103.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: 1.0.SlipMT103.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SlipMT103.exe.400000.12.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.SlipMT103.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.SlipMT103.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SlipMT103.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SlipMT103.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\SlipMT103.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SlipMT103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SlipMT103.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: SlipMT103.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SlipMT103.exe.680000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.SlipMT103.exe.680000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: kprUEGC.exe.1.dr, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SlipMT103.exe.450000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SlipMT103.exe.450000.13.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SlipMT103.exe.450000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SlipMT103.exe.450000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SlipMT103.exe.450000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.SlipMT103.exe.450000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SlipMT103.exe.450000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_00689361 push ds; retf 0_2_00689364
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_006892F5 push ds; ret 0_2_00689340
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 0_2_00689347 push ds; ret 0_2_0068934C
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00459347 push ds; ret 1_2_0045934C
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00459361 push ds; retf 1_2_00459364
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_004592F5 push ds; ret 1_2_00459340
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00939EF8 push eax; ret 1_2_00939EF9
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00933F65 push esp; iretd 1_2_00933F66
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B87E3F push edi; retn 0000h 1_2_00B87E41
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_00EE9361 push ds; retf 10_2_00EE9364
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_00EE92F5 push ds; ret 10_2_00EE9340
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_00EE9347 push ds; ret 10_2_00EE934C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 10_2_059B56E0 push esp; iretd 10_2_059B56E9
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 12_2_007292F5 push ds; ret 12_2_00729340
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 12_2_00729361 push ds; retf 12_2_00729364
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 12_2_00729347 push ds; ret 12_2_0072934C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 13_2_00979347 push ds; ret 13_2_0097934C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 13_2_009792F5 push ds; ret 13_2_00979340
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 13_2_00979361 push ds; retf 13_2_00979364
Source: initial sample Static PE information: section name: .text entropy: 7.88568951342
Source: initial sample Static PE information: section name: .text entropy: 7.88568951342

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SlipMT103.exe File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Jump to dropped file
Source: C:\Users\user\Desktop\SlipMT103.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SlipMT103.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.SlipMT103.exe.2b58e5c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.3408f00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.349b0f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.2beae3c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SlipMT103.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 2900, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: SlipMT103.exe, 00000000.00000002.360382819.0000000002AF1000.00000004.00000001.sdmp, SlipMT103.exe, 00000000.00000002.360569240.0000000002BBA000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451324743.000000000346B000.00000004.00000001.sdmp, kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SlipMT103.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SlipMT103.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6440 Thread sleep count: 1554 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6440 Thread sleep count: 713 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6392 Thread sleep time: -40889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239529s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -239059s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238936s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238778s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238420s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -238047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -237641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -237438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -237250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -236641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -236188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6436 Thread sleep time: -236047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6912 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6920 Thread sleep count: 1732 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe TID: 6920 Thread sleep count: 8087 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4544 Thread sleep count: 1933 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 4544 Thread sleep count: 1463 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5524 Thread sleep time: -34928s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -239016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -238891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -238750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -238547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -238422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -238094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -237922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -237811s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -237703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -237594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -237391s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -237000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -236750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -236438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -235094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -234797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -234671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 348 Thread sleep time: -234547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5100 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6868 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6796 Thread sleep count: 6267 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6796 Thread sleep count: 3552 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239859 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239750 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239640 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239529 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239421 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239312 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239188 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239059 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238936 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238778 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238640 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238531 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238420 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238312 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238047 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 237641 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 237438 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 236641 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 236188 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 236047 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239016 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237811 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237703 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237594 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237391 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 236750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 236438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 235094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 234797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 234671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 234547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SlipMT103.exe Window / User API: threadDelayed 1554 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Window / User API: threadDelayed 713 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Window / User API: threadDelayed 1732 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Window / User API: threadDelayed 8087 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window / User API: threadDelayed 1933 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window / User API: threadDelayed 1463 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window / User API: threadDelayed 6267 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window / User API: threadDelayed 3552 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SlipMT103.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SlipMT103.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SlipMT103.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239859 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 40889 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239750 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239640 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239529 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239421 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239312 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239188 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 239059 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238936 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238778 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238640 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238531 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238420 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238312 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 238047 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 237641 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 237438 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 237250 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 236641 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 236188 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 236047 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 34928 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 239016 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 238094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237811 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237703 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237594 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237391 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 237000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 236750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 236438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 235094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 234797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 234671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 234547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: kprUEGC.exe, 0000000A.00000002.451118533.00000000033A1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\SlipMT103.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SlipMT103.exe Code function: 1_2_00B8CE40 LdrInitializeThunk, 1_2_00B8CE40
Source: C:\Users\user\Desktop\SlipMT103.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\SlipMT103.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SlipMT103.exe Process created: C:\Users\user\Desktop\SlipMT103.exe C:\Users\user\Desktop\SlipMT103.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Jump to behavior
Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: SlipMT103.exe, 00000001.00000002.625902273.0000000001160000.00000002.00020000.sdmp, kprUEGC.exe, 0000000C.00000002.623212644.00000000013E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Users\user\Desktop\SlipMT103.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Users\user\Desktop\SlipMT103.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\SlipMT103.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SlipMT103.exe.3c27038.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44a0e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44d7038.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SlipMT103.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.3bf0e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44d7038.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44a0e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.3c27038.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.3bf0e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.618566079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356758159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.448106925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.357240049.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.445138730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.618546688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SlipMT103.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SlipMT103.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 2900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 988, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\SlipMT103.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SlipMT103.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SlipMT103.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 988, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SlipMT103.exe.3c27038.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44a0e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44d7038.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SlipMT103.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.3bf0e18.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44d7038.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.kprUEGC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SlipMT103.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.kprUEGC.exe.44a0e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.3c27038.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SlipMT103.exe.3bf0e18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.358186685.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.446727696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.618566079.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356758159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.448106925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.357240049.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.361078154.0000000003AFD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.444571373.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.445138730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356357042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.452252607.00000000043AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.618546688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.624222923.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.626792715.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SlipMT103.exe PID: 6388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SlipMT103.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 2900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 988, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528729 Sample: SlipMT103.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 6 SlipMT103.exe 3 2->6         started        10 kprUEGC.exe 3 2->10         started        12 kprUEGC.exe 2 2->12         started        process3 file4 21 C:\Users\user\AppData\...\SlipMT103.exe.log, ASCII 6->21 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->49 14 SlipMT103.exe 2 5 6->14         started        51 Multi AV Scanner detection for dropped file 10->51 19 kprUEGC.exe 2 10->19         started        signatures5 process6 dnsIp7 29 mail.aquanova.es 51.83.52.225, 49830, 587 OVHFR France 14->29 23 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->23 dropped 25 C:\Windows\System32\drivers\etc\hosts, ASCII 14->25 dropped 27 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->27 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file / registry access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 3 other signatures 14->37 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.83.52.225
 mail.aquanova.es France
16276 OVHFR true

Contacted Domains

Name IP Active
mail.aquanova.es 51.83.52.225 true